Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1579298
MD5: 7dc7a8d2e9d44cae10b9b55b65585ddc
SHA1: 3e78d38a9ce837926831ea27a0efb1a262877334
SHA256: efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Unusual Parent Process For Cmd.EXE
Sleep loop found (likely to delay execution)
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Virustotal: Detection: 75% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 58% Perma Link
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\Netstat\taskhostw.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gdi32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_15fd487e-e
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526550207.00000199E4323000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780465677.00000237B0DE2000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542469364.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805781398.00000237B0E20000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2806761498.00000237B1999000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 0KGPkVX.exe, 00000007.00000003.2525035843.00000199E43D0000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E466D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524685265.00000199E432D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525067213.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2771030188.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775456070.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2772272854.00000237B0DF0000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775822441.00000237B0880000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2842911347.00000237B10E4000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775899864.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 0KGPkVX.exe, 00000007.00000003.2530770935.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530896172.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2791564295.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538232700.00000199E45B9000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802724506.00000237B0E18000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803085246.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802101594.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803237022.00000237B0E1F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525811462.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2778149525.00000237B0DE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 0KGPkVX.exe, 00000007.00000003.2537574628.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541787031.00000199E4950000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2537620070.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541827507.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804881787.00000237B1370000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804934104.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804491302.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2801212396.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 0MB later: 29MB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0089E0C0 recv,recv,recv,recv, 0_2_0089E0C0
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805733391.00000237B1143000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://notepoud-plus.cn.com/error.php?ref=
Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://notepoud-plus.cn.com/validation.php?token=1dvdnavds8hsd98chda9hcdsahcd8r43bjb4b3kjbr4b3jk&ref
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3046409300.000000000285D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002858000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/
Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/R
Source: aspnet_regiis.exe, 0000000A.00000003.2688751763.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687985373.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2690577709.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687785737.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2688092488.0000000004FAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2689610573.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/The
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/YJZ
Source: aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2634798240.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2873028429.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api
Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api:
Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apiF
Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apil
Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apiliteR
Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apip~
Source: aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api~5
Source: aspnet_regiis.exe, 0000000A.00000003.2609684175.000000000281D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/ft
Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/lJO
Source: aspnet_regiis.exe, 0000000A.00000003.3036125237.0000000004FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat:443/api
Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2730250385.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2725233317.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat:443/apiR
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ip
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://peps.python.org/pep-0263/
Source: aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.python.org/psf/license/
Too many similar processes found
Source: cmd.exe Process created: 43

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name:
Source: c12cb864c6.exe.5.dr Static PE information: section name:
Source: c12cb864c6.exe.5.dr Static PE information: section name: .idata
Source: c12cb864c6.exe.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: 5b6f15dae8.exe.5.dr Static PE information: section name:
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: .idata
Source: 5b6f15dae8.exe.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: e7a505b613.exe.5.dr Static PE information: section name:
Source: e7a505b613.exe.5.dr Static PE information: section name: .idata
Source: e7a505b613.exe.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name: .idata
Source: df1fc80896.exe.5.dr Static PE information: section name:
Source: df1fc80896.exe.5.dr Static PE information: section name: .idata
Source: random[2].exe1.5.dr Static PE information: section name:
Source: random[2].exe1.5.dr Static PE information: section name: .idata
Source: acfd211374.exe.5.dr Static PE information: section name:
Source: acfd211374.exe.5.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: 72C40000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C364500 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,CreateProcessW,NtGetContextThread,NtWriteVirtualMemory,NtReadVirtualMemory,NtSetContextThread,NtResumeThread,CloseHandle,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,NtGetContextThread, 8_2_6C364500
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3636A0 GetModuleHandleW,NtQueryInformationProcess, 8_2_6C3636A0
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D78BB 0_2_008D78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D7049 0_2_008D7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D8860 0_2_008D8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D31A8 0_2_008D31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00894B30 0_2_00894B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00894DE0 0_2_00894DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D2D10 0_2_008D2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D779B 0_2_008D779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C7F36 0_2_008C7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C478BB 1_2_00C478BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C47049 1_2_00C47049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C48860 1_2_00C48860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C431A8 1_2_00C431A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C04B30 1_2_00C04B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C04DE0 1_2_00C04DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C42D10 1_2_00C42D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C4779B 1_2_00C4779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C37F36 1_2_00C37F36
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C364500 8_2_6C364500
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3636A0 8_2_6C3636A0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C35DF30 8_2_6C35DF30
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C355830 8_2_6C355830
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37F830 8_2_6C37F830
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C372030 8_2_6C372030
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C372820 8_2_6C372820
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C351010 8_2_6C351010
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C378810 8_2_6C378810
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38CC10 8_2_6C38CC10
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38F000 8_2_6C38F000
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C391000 8_2_6C391000
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C371870 8_2_6C371870
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C373C60 8_2_6C373C60
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C370840 8_2_6C370840
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C388440 8_2_6C388440
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C36E880 8_2_6C36E880
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C378CF0 8_2_6C378CF0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3824E0 8_2_6C3824E0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38E4D0 8_2_6C38E4D0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37B8C0 8_2_6C37B8C0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C370130 8_2_6C370130
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C375510 8_2_6C375510
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C377500 8_2_6C377500
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37CD60 8_2_6C37CD60
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37A550 8_2_6C37A550
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C35D140 8_2_6C35D140
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37BDB0 8_2_6C37BDB0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C36D9A0 8_2_6C36D9A0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37ADA0 8_2_6C37ADA0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C376190 8_2_6C376190
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37E9F0 8_2_6C37E9F0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3801F0 8_2_6C3801F0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3791E0 8_2_6C3791E0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C376E30 8_2_6C376E30
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C381E20 8_2_6C381E20
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C384620 8_2_6C384620
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38AA10 8_2_6C38AA10
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37DA00 8_2_6C37DA00
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C389E00 8_2_6C389E00
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C390600 8_2_6C390600
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C388A70 8_2_6C388A70
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C36C660 8_2_6C36C660
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C374260 8_2_6C374260
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C377E60 8_2_6C377E60
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C378260 8_2_6C378260
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C371290 8_2_6C371290
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37EE80 8_2_6C37EE80
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C370EF0 8_2_6C370EF0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C3612D0 8_2_6C3612D0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C36EED0 8_2_6C36EED0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C389AD0 8_2_6C389AD0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38F6C0 8_2_6C38F6C0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38D720 8_2_6C38D720
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C376700 8_2_6C376700
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C380F70 8_2_6C380F70
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C36DF60 8_2_6C36DF60
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C373360 8_2_6C373360
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C386B50 8_2_6C386B50
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38DFB0 8_2_6C38DFB0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C385FB0 8_2_6C385FB0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37DBA0 8_2_6C37DBA0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C381BA0 8_2_6C381BA0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C375B90 8_2_6C375B90
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C38C3F0 8_2_6C38C3F0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C35DBE0 8_2_6C35DBE0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37E3E0 8_2_6C37E3E0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37CFE0 8_2_6C37CFE0
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C37FBD0 8_2_6C37FBD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 008A80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00C180C0 appears 130 times
PE file contains executable resources (Code or Archives)
Source: 0KGPkVX[1].exe.5.dr Static PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: 0KGPkVX.exe.5.dr Static PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: taskhostw.exe.7.dr Static PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: random[1].exe.5.dr Static PE information: Section: cfpxwuqa ZLIB complexity 0.9943564062056234
Source: c12cb864c6.exe.5.dr Static PE information: Section: cfpxwuqa ZLIB complexity 0.9943564062056234
Source: random[1].exe0.5.dr Static PE information: Section: hryplxhh ZLIB complexity 0.990152970564156
Source: 5b6f15dae8.exe.5.dr Static PE information: Section: hryplxhh ZLIB complexity 0.990152970564156
Source: random[1].exe1.5.dr Static PE information: Section: ZLIB complexity 0.997418129280822
Source: random[1].exe1.5.dr Static PE information: Section: cgayxfzg ZLIB complexity 0.9948199209199267
Source: e7a505b613.exe.5.dr Static PE information: Section: ZLIB complexity 0.997418129280822
Source: e7a505b613.exe.5.dr Static PE information: Section: cgayxfzg ZLIB complexity 0.9948199209199267
Source: random[1].exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: c12cb864c6.exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@179/28@0/16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Users\Public\Netstat\taskhostw.exe Mutant created: \Sessions\1\BaseNamedObjects\T
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Users\Public\Netstat\taskhostw.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\Public\Netstat\taskhostw.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe System information queried: HandleInformation
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId, Name, SerialNumber FROM WIN32_PROCESSOR
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 7720)
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: aspnet_regiis.exe, 0000000A.00000003.2638750800.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639492468.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 58%
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: e7a505b613.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe"
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe"
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe"
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown Process created: C:\Users\Public\Netstat\taskhostw.exe "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown Process created: C:\Users\Public\Netstat\taskhostw.exe "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe"
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libffi-8.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: apphelp.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: version.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: vcruntime140.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libffi-8.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: iphlpapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: mswsock.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: dnsapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: rasadhlp.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: rstrtmgr.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: ncrypt.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: ntasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: dpapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: version.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: vcruntime140.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libffi-8.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: iphlpapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: mswsock.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: dnsapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: rasadhlp.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: version.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: vcruntime140.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libffi-8.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: iphlpapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: msasn1.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: mswsock.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: dnsapi.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: rasadhlp.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Netstat\taskhostw.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: file.exe Static file information: File size 3185152 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: file.exe Static PE information: Raw size of cqjlvrjj is bigger than: 0x100000 < 0x29dc00
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526550207.00000199E4323000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780465677.00000237B0DE2000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542469364.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805781398.00000237B0E20000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2806761498.00000237B1999000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 0KGPkVX.exe, 00000007.00000003.2525035843.00000199E43D0000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E466D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524685265.00000199E432D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525067213.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2771030188.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775456070.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2772272854.00000237B0DF0000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775822441.00000237B0880000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2842911347.00000237B10E4000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775899864.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 0KGPkVX.exe, 00000007.00000003.2530770935.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530896172.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2791564295.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538232700.00000199E45B9000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802724506.00000237B0E18000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803085246.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802101594.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803237022.00000237B0E1F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525811462.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2778149525.00000237B0DE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 0KGPkVX.exe, 00000007.00000003.2537574628.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541787031.00000199E4950000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2537620070.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541827507.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804881787.00000237B1370000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804934104.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804491302.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2801212396.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.890000.0.unpack :EW;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Unpacked PE file: 65.2.e7a505b613.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cgayxfzg:EW;rvxmyzlm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cgayxfzg:EW;rvxmyzlm:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.5.dr Static PE information: real checksum: 0x4491e0 should be: 0x43fa47
Source: random[1].exe1.5.dr Static PE information: real checksum: 0x1cb624 should be: 0x1ca30e
Source: im2o0Q8[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0xac353
Source: random[1].exe2.5.dr Static PE information: real checksum: 0x2d3d86 should be: 0x2c99cd
Source: acfd211374.exe.5.dr Static PE information: real checksum: 0x2a9f9e should be: 0x2a7834
Source: 5b6f15dae8.exe.5.dr Static PE information: real checksum: 0x1dd989 should be: 0x1e226e
Source: df1fc80896.exe.5.dr Static PE information: real checksum: 0x2d3d86 should be: 0x2c99cd
Source: gdi32.dll.8.dr Static PE information: real checksum: 0x0 should be: 0xa0f55
Source: e7a505b613.exe.5.dr Static PE information: real checksum: 0x1cb624 should be: 0x1ca30e
Source: c12cb864c6.exe.5.dr Static PE information: real checksum: 0x4491e0 should be: 0x43fa47
Source: 0KGPkVX[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x8bdec1
Source: random[2].exe1.5.dr Static PE information: real checksum: 0x2a9f9e should be: 0x2a7834
Source: file.exe Static PE information: real checksum: 0x30c545 should be: 0x317923
Source: skotes.exe.0.dr Static PE information: real checksum: 0x30c545 should be: 0x317923
Source: 0KGPkVX.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x8bdec1
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x1dd989 should be: 0x1e226e
Source: taskhostw.exe.7.dr Static PE information: real checksum: 0x0 should be: 0x8bdec1
Source: im2o0Q8.exe.5.dr Static PE information: real checksum: 0x0 should be: 0xac353
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: cqjlvrjj
Source: file.exe Static PE information: section name: fvbffgym
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: cqjlvrjj
Source: skotes.exe.0.dr Static PE information: section name: fvbffgym
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: cfpxwuqa
Source: random[1].exe.5.dr Static PE information: section name: eexnemuq
Source: random[1].exe.5.dr Static PE information: section name: .taggant
Source: c12cb864c6.exe.5.dr Static PE information: section name:
Source: c12cb864c6.exe.5.dr Static PE information: section name: .idata
Source: c12cb864c6.exe.5.dr Static PE information: section name:
Source: c12cb864c6.exe.5.dr Static PE information: section name: cfpxwuqa
Source: c12cb864c6.exe.5.dr Static PE information: section name: eexnemuq
Source: c12cb864c6.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: hryplxhh
Source: random[1].exe0.5.dr Static PE information: section name: kfhnvius
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: 5b6f15dae8.exe.5.dr Static PE information: section name:
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: .idata
Source: 5b6f15dae8.exe.5.dr Static PE information: section name:
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: hryplxhh
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: kfhnvius
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: cgayxfzg
Source: random[1].exe1.5.dr Static PE information: section name: rvxmyzlm
Source: random[1].exe1.5.dr Static PE information: section name: .taggant
Source: e7a505b613.exe.5.dr Static PE information: section name:
Source: e7a505b613.exe.5.dr Static PE information: section name: .idata
Source: e7a505b613.exe.5.dr Static PE information: section name:
Source: e7a505b613.exe.5.dr Static PE information: section name: cgayxfzg
Source: e7a505b613.exe.5.dr Static PE information: section name: rvxmyzlm
Source: e7a505b613.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe2.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name: .idata
Source: random[1].exe2.5.dr Static PE information: section name: prrpsiqo
Source: random[1].exe2.5.dr Static PE information: section name: wevongkt
Source: random[1].exe2.5.dr Static PE information: section name: .taggant
Source: df1fc80896.exe.5.dr Static PE information: section name:
Source: df1fc80896.exe.5.dr Static PE information: section name: .idata
Source: df1fc80896.exe.5.dr Static PE information: section name: prrpsiqo
Source: df1fc80896.exe.5.dr Static PE information: section name: wevongkt
Source: df1fc80896.exe.5.dr Static PE information: section name: .taggant
Source: random[2].exe1.5.dr Static PE information: section name:
Source: random[2].exe1.5.dr Static PE information: section name: .idata
Source: random[2].exe1.5.dr Static PE information: section name: juuuzidd
Source: random[2].exe1.5.dr Static PE information: section name: vjgjjgcb
Source: random[2].exe1.5.dr Static PE information: section name: .taggant
Source: acfd211374.exe.5.dr Static PE information: section name:
Source: acfd211374.exe.5.dr Static PE information: section name: .idata
Source: acfd211374.exe.5.dr Static PE information: section name: juuuzidd
Source: acfd211374.exe.5.dr Static PE information: section name: vjgjjgcb
Source: acfd211374.exe.5.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008AD91C push ecx; ret 0_2_008AD92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008A1359 push es; ret 0_2_008A135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C1D91C push ecx; ret 1_2_00C1D92F
Source: file.exe Static PE information: section name: entropy: 7.110293266300148
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.110293266300148
Source: im2o0Q8[1].exe.5.dr Static PE information: section name: .text entropy: 7.109162295570626
Source: im2o0Q8.exe.5.dr Static PE information: section name: .text entropy: 7.109162295570626
Source: random[1].exe.5.dr Static PE information: section name: cfpxwuqa entropy: 7.955414645153359
Source: c12cb864c6.exe.5.dr Static PE information: section name: cfpxwuqa entropy: 7.955414645153359
Source: random[1].exe0.5.dr Static PE information: section name: hryplxhh entropy: 7.948090849881547
Source: 5b6f15dae8.exe.5.dr Static PE information: section name: hryplxhh entropy: 7.948090849881547
Source: random[1].exe1.5.dr Static PE information: section name: entropy: 7.985055445795539
Source: random[1].exe1.5.dr Static PE information: section name: cgayxfzg entropy: 7.954843030921147
Source: e7a505b613.exe.5.dr Static PE information: section name: entropy: 7.985055445795539
Source: e7a505b613.exe.5.dr Static PE information: section name: cgayxfzg entropy: 7.954843030921147

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File created: C:\Users\Public\Netstat\taskhostw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exe Jump to behavior
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exe Jump to behavior
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6FB17 second address: A6FB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D8DA second address: A5D8DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5D8DE second address: A5D8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6EAA0 second address: A6EABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6EC60 second address: A6EC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F1EF second address: A6F1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9D6D14BEA6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F1FA second address: A6F200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F200 second address: A6F204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F204 second address: A6F208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F208 second address: A6F220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F9D6D14BEACh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6F220 second address: A6F22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007F9D6D536296h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71C5B second address: A71C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71CBD second address: A71CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71D4D second address: A71D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71D52 second address: A71D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D53629Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 0AE38522h 0x00000013 mov dl, A4h 0x00000015 mov dl, C9h 0x00000017 lea ebx, dword ptr [ebp+12446B48h] 0x0000001d movzx esi, di 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71D7E second address: A71D83 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71F32 second address: A71F50 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F9D6D536298h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F9D6D536298h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A720A3 second address: A720AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90661 second address: A9066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9066A second address: A90676 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D14BEAEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90676 second address: A9069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F9D6D53629Ah 0x0000000b jmp 00007F9D6D5362A5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9069B second address: A9069F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9094E second address: A90981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F9D6D5362A8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90981 second address: A90998 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D6D14BEB2h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90998 second address: A909D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D536296h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9D6D5362A2h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007F9D6D5362A7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A909D5 second address: A909E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F9D6D14BEA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A90F74 second address: A90F7E instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A91241 second address: A91245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A916A4 second address: A916A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A916A8 second address: A916B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85626 second address: A8562A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8562A second address: A85630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85630 second address: A8563B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F9D6D536296h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A91FF6 second address: A91FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9214B second address: A92164 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Fh 0x00000007 jo 00007F9D6D536296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A922E6 second address: A922FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A922FD second address: A92316 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9D6D536296h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F9D6D53629Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A92316 second address: A9233A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEB9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9A99E second address: A9A9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9A9A2 second address: A9A9A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9A9A6 second address: A9A9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65EF1 second address: A65EFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F9D6D14BEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65EFC second address: A65F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E4C8 second address: A9E4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E4CC second address: A9E4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E7D5 second address: A9E7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E917 second address: A9E91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E91D second address: A9E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E921 second address: A9E932 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D6D536296h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E932 second address: A9E93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9D6D14BEA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E93E second address: A9E958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9D6D5362A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9EEE3 second address: A9EEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0BF5 second address: AA0C0A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D6D536298h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C0A second address: AA0C61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F9D6D14BEB3h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F9D6D14BEAEh 0x0000001a pop eax 0x0000001b mov esi, ebx 0x0000001d call 00007F9D6D14BEA9h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C61 second address: AA0C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C65 second address: AA0C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C6B second address: AA0C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F9D6D53629Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C85 second address: AA0C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C8B second address: AA0C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0C8F second address: AA0CB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F9D6D14BEB4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0CB6 second address: AA0CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0CBB second address: AA0CC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1269 second address: AA126D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA126D second address: AA1273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1273 second address: AA12A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F9D6D5362A3h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA18F8 second address: AA18FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA18FC second address: AA1900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1900 second address: AA1906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1906 second address: AA191D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA191D second address: AA1929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1929 second address: AA1990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D6D536296h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007F9D6D536296h 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 popad 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F9D6D536298h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 je 00007F9D6D53629Ch 0x0000003a sub edi, 722A0CF8h 0x00000040 nop 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9D6D5362A0h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1990 second address: AA1994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1994 second address: AA19A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1B21 second address: AA1B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA2E75 second address: AA2E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA2E7D second address: AA2E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA48E7 second address: AA48EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA48EB second address: AA48F5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA48F5 second address: AA4958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007F9D6D536296h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 jmp 00007F9D6D53629Bh 0x00000015 pop ebx 0x00000016 nop 0x00000017 jbe 00007F9D6D536298h 0x0000001d mov esi, eax 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F9D6D536298h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b mov dword ptr [ebp+12468369h], ecx 0x00000041 mov edi, dword ptr [ebp+124407ADh] 0x00000047 push 00000000h 0x00000049 add di, 14DEh 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA4958 second address: AA495C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA495C second address: AA4962 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA4962 second address: AA4967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA5EFE second address: AA5F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA5F02 second address: AA5F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9D6D14BEA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA5CDB second address: AA5CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6A3A second address: AA6AC2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D14BEB2h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 jmp 00007F9D6D14BEB3h 0x00000017 popad 0x00000018 nop 0x00000019 mov edi, dword ptr [ebp+122D34A8h] 0x0000001f mov dword ptr [ebp+122D2F8Eh], ecx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F9D6D14BEA8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov edi, dword ptr [ebp+122D3C2Ah] 0x00000047 add di, 8BDAh 0x0000004c push 00000000h 0x0000004e mov dword ptr [ebp+12468FEEh], edx 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 jnp 00007F9D6D14BEACh 0x0000005c pushad 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6AC2 second address: AA6AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9D6D53629Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6AD8 second address: AA6ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6ADE second address: AA6AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6AE2 second address: AA6AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA7550 second address: AA7556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA72DD second address: AA72E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA6FA second address: AAA728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 movsx edi, dx 0x0000000b push 00000000h 0x0000000d jo 00007F9D6D536299h 0x00000013 add bh, 00000053h 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D38C5h], eax 0x0000001e mov ebx, 6B421FE5h 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007F9D6D536296h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA728 second address: AAA72E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB629 second address: AAB631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA87E second address: AAA883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB631 second address: AAB635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB635 second address: AAB64C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA94D second address: AAA966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA966 second address: AAA96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAC8FA second address: AAC900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAD615 second address: AAD619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA96C second address: AAA978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAD619 second address: AAD61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA978 second address: AAA97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA97F second address: AAA989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9D6D14BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAE847 second address: AAE84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAE84B second address: AAE851 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB16E6 second address: AB16F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9D6D536296h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB16F1 second address: AB170F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9D6D14BEB3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB07EE second address: AB07F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB07F2 second address: AB07F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB07F6 second address: AB07FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB07FC second address: AB0801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB18B1 second address: AB18B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB18B5 second address: AB18BF instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB18BF second address: AB18D6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D6D53629Ch 0x00000008 je 00007F9D6D536296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB18D6 second address: AB18DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB3831 second address: AB3861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F9D6D536298h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jnp 00007F9D6D536296h 0x0000001b jmp 00007F9D6D53629Ch 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB18DC second address: AB196D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9D6D14BEA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 7CD38131h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007F9D6D14BEABh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F9D6D14BEA8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d jmp 00007F9D6D14BEB1h 0x00000042 mov dword ptr [ebp+122D1CDFh], ebx 0x00000048 mov eax, dword ptr [ebp+122D069Dh] 0x0000004e jno 00007F9D6D14BEB2h 0x00000054 push FFFFFFFFh 0x00000056 mov di, A5DBh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F9D6D14BEAAh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB489D second address: AB48FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F9D6D5362A3h 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007F9D6D5362A3h 0x00000012 jmp 00007F9D6D53629Dh 0x00000017 nop 0x00000018 jbe 00007F9D6D5362A5h 0x0000001e jmp 00007F9D6D53629Fh 0x00000023 push 00000000h 0x00000025 movzx ebx, ax 0x00000028 mov dword ptr [ebp+122D38EEh], edi 0x0000002e push 00000000h 0x00000030 or di, AA72h 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jc 00007F9D6D536296h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5A14 second address: AB5A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5A18 second address: AB5A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F9D6D5362A0h 0x0000000e je 00007F9D6D53629Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB4A55 second address: AB4A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB7848 second address: AB78BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F9D6D5362A6h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D2C8Fh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F9D6D536298h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F9D6D536298h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov bh, 14h 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F9D6D53629Eh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB69E6 second address: AB69F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9D6D14BEA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F9D6D14BEA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB69F9 second address: AB69FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6B06 second address: AB6B10 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB7A57 second address: AB7A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB8AE0 second address: AB8AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC25A2 second address: AC25AC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC2701 second address: AC2705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC2705 second address: AC2725 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9D6D536296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F9D6D53629Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F9D6D536296h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC2871 second address: AC288C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC288C second address: AC28A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC28A5 second address: AC28C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9D6D14BEA6h 0x0000000a jmp 00007F9D6D14BEB4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC28C3 second address: AC28E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC2A1D second address: AC2A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC2A23 second address: AC2A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F9D6D53629Eh 0x0000000e jmp 00007F9D6D53629Ch 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A60D9F second address: A60DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F9D6D14BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A60DA9 second address: A60DF6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D6D536296h 0x00000008 jmp 00007F9D6D53629Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F9D6D5362A0h 0x00000015 js 00007F9D6D536296h 0x0000001b jmp 00007F9D6D5362A2h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push ebx 0x00000024 push edi 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 pushad 0x00000028 popad 0x00000029 pop edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC783B second address: AC7845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D14BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9FC1 second address: AC9FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9FC7 second address: AC9FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACA0BE second address: ACA0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFD8E second address: ACFD9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F9D6D14BEA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFD9A second address: ACFDBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F9D6D5362A7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEAC2 second address: ACEAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a push edi 0x0000000b jne 00007F9D6D14BEAEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF094 second address: ACF09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF09C second address: ACF0A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF0A0 second address: ACF0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF2F3 second address: ACF304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF304 second address: ACF32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jc 00007F9D6D536296h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF32A second address: ACF347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACF347 second address: ACF37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F9D6D53629Ch 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFA2F second address: ACFA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D14BEB5h 0x00000012 jmp 00007F9D6D14BEB3h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFA64 second address: ACFA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFA68 second address: ACFA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA87C8 second address: AA87CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA87CE second address: A85626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F9D6D14BEB9h 0x00000010 xor edi, 0CD855E5h 0x00000016 pop edi 0x00000017 jmp 00007F9D6D14BEB0h 0x0000001c lea eax, dword ptr [ebp+1247D4E0h] 0x00000022 jmp 00007F9D6D14BEAEh 0x00000027 push eax 0x00000028 jns 00007F9D6D14BEBBh 0x0000002e mov dword ptr [esp], eax 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F9D6D14BEA8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b jmp 00007F9D6D14BEABh 0x00000050 call dword ptr [ebp+1244066Dh] 0x00000056 jne 00007F9D6D14BEACh 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA8DC9 second address: AA8E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F9D6D5362A3h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jns 00007F9D6D5362B0h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 pop eax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA8E28 second address: AA8E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA8E2E second address: AA8E4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F9D6D536296h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9028 second address: AA902C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA902C second address: AA9039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9039 second address: AA903D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA903D second address: AA9060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jng 00007F9D6D536296h 0x0000000d pop ebx 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 jmp 00007F9D6D53629Ah 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9060 second address: AA9066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9066 second address: AA906A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA90DB second address: AA90DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA90DF second address: AA90F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F9D6D536296h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA90F1 second address: AA90F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA90F7 second address: AA90FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA90FC second address: AA9136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c jno 00007F9D6D14BEA8h 0x00000012 pop esi 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edi 0x00000016 jmp 00007F9D6D14BEB9h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9708 second address: AA9712 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D53629Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA99D5 second address: AA99DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9AF2 second address: AA9AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9AF6 second address: AA9AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD4976 second address: AD497D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD497D second address: AD4989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9D6D14BEA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD4989 second address: AD49B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007F9D6D5362B6h 0x0000000c pushad 0x0000000d jmp 00007F9D6D5362A6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD4DCD second address: AD4DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD4DD2 second address: AD4DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD4DDA second address: AD4DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A367 second address: A5A371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9D6D536296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD9EAC second address: AD9EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD9EB2 second address: AD9EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F9D6D536296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD9EC3 second address: AD9EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA26A second address: ADA274 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADA274 second address: ADA290 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007F9D6D14BEA8h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD74F second address: ADD753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A696FA second address: A69704 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69704 second address: A6971C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F9D6D5362A2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6971C second address: A69724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69724 second address: A69728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69728 second address: A6972C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6972C second address: A69732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69732 second address: A69771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F9D6D14BEB7h 0x0000000f jmp 00007F9D6D14BEADh 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 jmp 00007F9D6D14BEAAh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE683D second address: AE6843 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE6843 second address: AE6889 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BECDh 0x00000008 jmp 00007F9D6D14BEB2h 0x0000000d jmp 00007F9D6D14BEB5h 0x00000012 pushad 0x00000013 jmp 00007F9D6D14BEB4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE6889 second address: AE68BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F9D6D5362A8h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F9D6D5362ACh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F9D6D536296h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE68BB second address: AE68C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE6B1E second address: AE6B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE70D3 second address: AE70E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jnl 00007F9D6D14BEA6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA410 second address: AEA416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA567 second address: AEA56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA6E4 second address: AEA6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AECECE second address: AECEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEE62E second address: AEE63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F9D6D536296h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEE63F second address: AEE675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB5h 0x00000007 jmp 00007F9D6D14BEB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEE675 second address: AEE68D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F9D6D53629Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF23A1 second address: AF23BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF23BD second address: AF23E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D536296h 0x00000008 jmp 00007F9D6D5362A1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007F9D6D5362B4h 0x00000017 js 00007F9D6D53629Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF23E8 second address: AF23F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF23F0 second address: AF23F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF1C4C second address: AF1C6E instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jg 00007F9D6D14BEACh 0x00000016 jp 00007F9D6D14BEA6h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF20BE second address: AF20DE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D5362AAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF65C2 second address: AF65C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF65C8 second address: AF65F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F9D6D5362A9h 0x0000000e pop edi 0x0000000f jmp 00007F9D6D53629Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6760 second address: AF678D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9D6D14BEA6h 0x0000000a jng 00007F9D6D14BEA6h 0x00000010 popad 0x00000011 pushad 0x00000012 jc 00007F9D6D14BEACh 0x00000018 jo 00007F9D6D14BEA6h 0x0000001e pushad 0x0000001f jne 00007F9D6D14BEA6h 0x00000025 push edi 0x00000026 pop edi 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF68CF second address: AF68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6B73 second address: AF6B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6B79 second address: AF6B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6B89 second address: AF6B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6B8F second address: AF6B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6B94 second address: AF6B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB44B second address: AFB450 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB59F second address: AFB5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEAFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB5B4 second address: AFB5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB5B9 second address: AFB5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB5BF second address: AFB5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB5C3 second address: AFB5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB76D second address: AFB771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB771 second address: AFB78A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F9D6D14BEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F9D6D14BEA6h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB9DA second address: AFB9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFB9F2 second address: AFBA0E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D14BEB0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBA0E second address: AFBA14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9582 second address: AA9587 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9587 second address: AA9602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a xor edx, 0AA1ECF2h 0x00000010 mov edx, dword ptr [ebp+1244229Eh] 0x00000016 mov ebx, dword ptr [ebp+1247D51Fh] 0x0000001c sub dx, 4439h 0x00000021 add eax, ebx 0x00000023 jmp 00007F9D6D53629Fh 0x00000028 push eax 0x00000029 jmp 00007F9D6D53629Dh 0x0000002e mov dword ptr [esp], eax 0x00000031 or dword ptr [ebp+124405F7h], ebx 0x00000037 push 00000004h 0x00000039 nop 0x0000003a push ecx 0x0000003b jmp 00007F9D6D5362A4h 0x00000040 pop ecx 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9D6D5362A5h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA9602 second address: AA9606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC814 second address: AFC818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC818 second address: AFC87B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F9D6D14BEA6h 0x00000012 popad 0x00000013 jp 00007F9D6D14BEAAh 0x00000019 jno 00007F9D6D14BEA8h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 jmp 00007F9D6D14BEB7h 0x00000028 push eax 0x00000029 pop eax 0x0000002a pop edx 0x0000002b jmp 00007F9D6D14BEADh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B05042 second address: B0504C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B03142 second address: B03146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B03146 second address: B0314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B038D2 second address: B038FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F9D6D14BEA6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 js 00007F9D6D14BEBAh 0x0000001b jmp 00007F9D6D14BEAEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0417D second address: B04181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B047CB second address: B047CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04A91 second address: B04A96 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B085E5 second address: B085E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B085E9 second address: B085EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B085EF second address: B085F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B085F5 second address: B0860A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D5362A0h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B16591 second address: B165A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 jl 00007F9D6D14BEC4h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B14DD0 second address: B14DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B15C15 second address: B15C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B163D8 second address: B163FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D5362A8h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B163FD second address: B16401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B16401 second address: B16405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B16405 second address: B1640B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1640B second address: B16414 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B141BA second address: B141E4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F9D6D14BEBEh 0x00000012 jl 00007F9D6D14BEA6h 0x00000018 jmp 00007F9D6D14BEB2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B141E4 second address: B141EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B141EC second address: B141F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B141F8 second address: B141FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B28BA6 second address: B28BAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B28BAC second address: B28BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F9D6D536296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B289F3 second address: B289F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B289F8 second address: B28A0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F9D6D536298h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2AB1E second address: B2AB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2AB22 second address: B2AB36 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007F9D6D536296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F9D6D536296h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2AB36 second address: B2AB56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2AB56 second address: B2AB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D6D536296h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2A6AF second address: B2A6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B308CB second address: B308DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D536296h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B308DC second address: B30901 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D14BEA6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F9D6D14BEB5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B46ECE second address: B46EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4703F second address: B47045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47045 second address: B47061 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D6D5362A0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47061 second address: B47065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B471CC second address: B471E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4D042 second address: B4D075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB5h 0x00000009 popad 0x0000000a jnc 00007F9D6D14BEB6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4D075 second address: B4D0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A7h 0x00000009 jmp 00007F9D6D53629Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B59E69 second address: B59E72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B59E72 second address: B59E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5B612 second address: B5B616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6B396 second address: B6B39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6B39C second address: B6B3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6B3A0 second address: B6B3AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6B3AA second address: B6B3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EADC second address: B6EAE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EAE4 second address: B6EAE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EAE8 second address: B6EAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EC47 second address: B6EC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B874E4 second address: B874EE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B874EE second address: B8751A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9D6D14BEB1h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8751A second address: B8753E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D6D536296h 0x00000008 jmp 00007F9D6D53629Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007F9D6D536298h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8777A second address: B877A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F9D6D14BEACh 0x00000012 js 00007F9D6D14BEA6h 0x00000018 jng 00007F9D6D14BEC4h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B877A6 second address: B877C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B026 second address: B8B0AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push ecx 0x0000000c mov edx, dword ptr [ebp+122D3A22h] 0x00000012 pop edx 0x00000013 push dword ptr [ebp+122D34D8h] 0x00000019 sub dx, 05CFh 0x0000001e call 00007F9D6D14BEA9h 0x00000023 jo 00007F9D6D14BEB5h 0x00000029 jmp 00007F9D6D14BEAFh 0x0000002e push eax 0x0000002f jg 00007F9D6D14BEB0h 0x00000035 pushad 0x00000036 jnl 00007F9D6D14BEA6h 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e popad 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 push esi 0x00000044 pushad 0x00000045 je 00007F9D6D14BEA6h 0x0000004b js 00007F9D6D14BEA6h 0x00000051 popad 0x00000052 pop esi 0x00000053 mov eax, dword ptr [eax] 0x00000055 jmp 00007F9D6D14BEB8h 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B0AB second address: B8B0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B0BF second address: B8B0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9D6D14BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8DFE4 second address: B8DFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8DFE8 second address: B8DFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D14BEB1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8FABC second address: B8FAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F9D6D536296h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jl 00007F9D6D53629Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070113 second address: 5070147 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 706A2AFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a mov eax, ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F9D6D14BEAAh 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9D6D14BEB7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070147 second address: 50701B2 instructions: 0x00000000 rdtsc 0x00000002 mov ah, F3h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, E7h 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D53629Ch 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9D6D53629Eh 0x00000018 xor ax, A9A8h 0x0000001d jmp 00007F9D6D53629Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F9D6D5362A8h 0x00000029 or si, 1C08h 0x0000002e jmp 00007F9D6D53629Bh 0x00000033 popfd 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50701B2 second address: 50701B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50701B6 second address: 50701BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50701BC second address: 50701D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0645 second address: 50B064B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B064B second address: 50B064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50400EB second address: 504010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504010A second address: 504010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504010E second address: 5040112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040112 second address: 5040118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040118 second address: 504013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov si, 1FCDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D6D5362A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504013E second address: 5040166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 352C61C4h 0x00000008 jmp 00007F9D6D14BEADh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9D6D14BEADh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040166 second address: 504018C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D53629Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504018C second address: 504019C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504019C second address: 50401CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e pushad 0x0000000f mov ax, DB9Bh 0x00000013 mov edi, ecx 0x00000015 popad 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 jmp 00007F9D6D53629Ah 0x0000001e push dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov ch, 00h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060E08 second address: 5060E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060E0C second address: 5060E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060E12 second address: 5060E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D14BEB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060E44 second address: 5060E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060E48 second address: 5060E4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50608F3 second address: 50608F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50608F8 second address: 50608FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50607E1 second address: 5060800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 2F2Eh 0x00000007 mov edx, 6501103Ah 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 call 00007F9D6D53629Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060800 second address: 5060848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F9D6D14BEB1h 0x0000000b adc cx, EF66h 0x00000010 jmp 00007F9D6D14BEB1h 0x00000015 popfd 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov cx, dx 0x00000020 jmp 00007F9D6D14BEAFh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060848 second address: 506084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506084E second address: 5060852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060852 second address: 50608A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D6D5362A8h 0x00000013 sbb cx, 0C98h 0x00000018 jmp 00007F9D6D53629Bh 0x0000001d popfd 0x0000001e jmp 00007F9D6D5362A8h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50608A2 second address: 50608A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50604D1 second address: 50604F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50604F5 second address: 50604F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50604F9 second address: 50604FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50604FF second address: 5060504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060504 second address: 5060529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 21D4217Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D6D5362A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060529 second address: 506052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506052F second address: 5060533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50704A7 second address: 50704AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B04BD second address: 50B0523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 pushfd 0x00000008 jmp 00007F9D6D53629Ah 0x0000000d xor si, 5028h 0x00000012 jmp 00007F9D6D53629Bh 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F9D6D5362A8h 0x0000001e add cl, FFFFFF88h 0x00000021 jmp 00007F9D6D53629Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F9D6D5362A5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0523 second address: 50B0533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508047C second address: 50804F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F9D6D5362A0h 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 jmp 00007F9D6D5362A0h 0x00000018 and dword ptr [eax], 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F9D6D53629Dh 0x00000024 and esi, 1EAD6C66h 0x0000002a jmp 00007F9D6D5362A1h 0x0000002f popfd 0x00000030 call 00007F9D6D5362A0h 0x00000035 pop esi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50804F5 second address: 50804FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50804FB second address: 50804FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50804FF second address: 5080503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060714 second address: 506071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506071A second address: 5060720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5060720 second address: 506079C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9D6D5362A4h 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 popfd 0x00000018 push ecx 0x00000019 pushfd 0x0000001a jmp 00007F9D6D5362A7h 0x0000001f adc esi, 1086470Eh 0x00000025 jmp 00007F9D6D5362A9h 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, ax 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506079C second address: 50607A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508002D second address: 5080033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080033 second address: 508004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D14BEAFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080230 second address: 508024D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508024D second address: 50802AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEB7h 0x00000009 or esi, 2FE5CC3Eh 0x0000000f jmp 00007F9D6D14BEB9h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9D6D14BEB9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0757 second address: 50A0784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D53629Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0784 second address: 50A0806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9D6D14BEB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F9D6D14BEAEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F9D6D14BEB0h 0x0000001c xchg eax, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007F9D6D14BEB3h 0x00000028 sub si, 1EEEh 0x0000002d jmp 00007F9D6D14BEB9h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0806 second address: 50A082D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F9D6D53629Ah 0x00000012 pop esi 0x00000013 mov cl, bl 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A082D second address: 50A0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0845 second address: 50A0849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0849 second address: 50A084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A084F second address: 50A0882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FB65FCh] 0x0000000e jmp 00007F9D6D5362A0h 0x00000013 test eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0882 second address: 50A0886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0886 second address: 50A088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A088A second address: 50A0890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0890 second address: 50A0897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 53h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0897 second address: 50A0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F9DDEFDEF6Eh 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEB9h 0x00000014 and ah, FFFFFFA6h 0x00000017 jmp 00007F9D6D14BEB1h 0x0000001c popfd 0x0000001d pushad 0x0000001e call 00007F9D6D14BEAEh 0x00000023 pop ecx 0x00000024 jmp 00007F9D6D14BEABh 0x00000029 popad 0x0000002a popad 0x0000002b mov ecx, eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 call 00007F9D6D14BEB2h 0x00000035 pop ecx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0909 second address: 50A09AB instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 40ECFF66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F9D6D5362A7h 0x0000000f sub eax, 16CCC9EEh 0x00000015 jmp 00007F9D6D5362A9h 0x0000001a popfd 0x0000001b popad 0x0000001c xor eax, dword ptr [ebp+08h] 0x0000001f jmp 00007F9D6D5362A7h 0x00000024 and ecx, 1Fh 0x00000027 pushad 0x00000028 jmp 00007F9D6D5362A4h 0x0000002d jmp 00007F9D6D5362A2h 0x00000032 popad 0x00000033 ror eax, cl 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F9D6D5362A7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A09AB second address: 50A09C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A09C3 second address: 50A09F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F9D6D5362A6h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [008F2014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007F9D71D26BC4h 0x0000002c push FFFFFFFEh 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A09F6 second address: 50A09FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A09FA second address: 50A09FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A09FE second address: 50A0A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0A04 second address: 50A0A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0A09 second address: 50A0A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505000B second address: 5050011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050011 second address: 5050051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9D6D14BEB0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D6D14BEAEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050051 second address: 5050067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050067 second address: 505006D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505006D second address: 5050073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050073 second address: 5050077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050077 second address: 505008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D6D53629Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505008F second address: 5050093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050093 second address: 5050099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050099 second address: 505012A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEB0h 0x00000014 add al, FFFFFF98h 0x00000017 jmp 00007F9D6D14BEABh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F9D6D14BEB8h 0x00000023 add esi, 0E764DF8h 0x00000029 jmp 00007F9D6D14BEABh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 pushad 0x00000032 mov ecx, 5CD3074Bh 0x00000037 mov esi, 16C8CD27h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushfd 0x00000042 jmp 00007F9D6D14BEB9h 0x00000047 jmp 00007F9D6D14BEABh 0x0000004c popfd 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505012A second address: 5050139 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050139 second address: 5050153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050153 second address: 5050159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050159 second address: 505015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505015D second address: 5050161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050161 second address: 5050187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edx 0x0000000e jmp 00007F9D6D14BEB7h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050187 second address: 505018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505018D second address: 505022E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB4h 0x00000015 adc ecx, 76060108h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F9D6D14BEB8h 0x00000027 xor al, 00000068h 0x0000002a jmp 00007F9D6D14BEABh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebx, dword ptr [ebp+10h] 0x00000034 pushad 0x00000035 mov al, 38h 0x00000037 jmp 00007F9D6D14BEB1h 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f push esi 0x00000040 pushad 0x00000041 popad 0x00000042 pop edx 0x00000043 mov cx, ED55h 0x00000047 popad 0x00000048 push eax 0x00000049 jmp 00007F9D6D14BEABh 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov ax, dx 0x00000055 mov edi, 012F1372h 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505022E second address: 5050234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050234 second address: 5050238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050238 second address: 505028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9D6D53629Ch 0x00000012 and cx, AA88h 0x00000017 jmp 00007F9D6D53629Bh 0x0000001c popfd 0x0000001d mov ax, C2FFh 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 jmp 00007F9D6D5362A2h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F9D6D53629Eh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505028B second address: 5050291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050291 second address: 50502C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d movzx eax, di 0x00000010 push edi 0x00000011 call 00007F9D6D5362A4h 0x00000016 pop esi 0x00000017 pop edi 0x00000018 popad 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50502C7 second address: 50502D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 mov ecx, 1FC7D7BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50502D3 second address: 5050309 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F9DDF4145D1h 0x0000000d pushad 0x0000000e mov si, 25ABh 0x00000012 popad 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9D6D5362A8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050309 second address: 5050318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050318 second address: 505031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505031E second address: 505036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F9DDF02A1ABh 0x0000000e pushad 0x0000000f mov edi, 2CE0B3B0h 0x00000014 popad 0x00000015 mov edx, dword ptr [esi+44h] 0x00000018 jmp 00007F9D6D14BEB2h 0x0000001d or edx, dword ptr [ebp+0Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F9D6D14BEADh 0x00000029 jmp 00007F9D6D14BEABh 0x0000002e popfd 0x0000002f mov ecx, 5F54581Fh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 505036E second address: 5050382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050382 second address: 50503C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007F9D6D14BEB7h 0x00000013 jne 00007F9DDF02A187h 0x00000019 pushad 0x0000001a jmp 00007F9D6D14BEB4h 0x0000001f push eax 0x00000020 push edx 0x00000021 mov dx, si 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50503C7 second address: 50503CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50407CE second address: 50407D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50407D4 second address: 50407D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50407D8 second address: 504085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9D6D14BEAEh 0x00000011 push eax 0x00000012 jmp 00007F9D6D14BEABh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov esi, 2EA74C2Bh 0x0000001e pushfd 0x0000001f jmp 00007F9D6D14BEB0h 0x00000024 sbb ecx, 13C953B8h 0x0000002a jmp 00007F9D6D14BEABh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F9D6D14BEABh 0x0000003c jmp 00007F9D6D14BEB3h 0x00000041 popfd 0x00000042 mov si, B1CFh 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504085B second address: 5040861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040861 second address: 5040886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b jmp 00007F9D6D14BEB3h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040886 second address: 504088C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504088C second address: 5040937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 jmp 00007F9D6D14BEB5h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB0h 0x00000015 and eax, 06D58468h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F9D6D14BEB2h 0x0000002e xor cx, 56C8h 0x00000033 jmp 00007F9D6D14BEABh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F9D6D14BEB8h 0x0000003f sub cx, D928h 0x00000044 jmp 00007F9D6D14BEABh 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040937 second address: 504093D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 504093D second address: 5040952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEAAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040952 second address: 5040980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D5362A1h 0x00000009 sbb si, E7F6h 0x0000000e jmp 00007F9D6D5362A1h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040980 second address: 50409CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 jmp 00007F9D6D14BEACh 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB1h 0x00000015 sub ah, 00000006h 0x00000018 jmp 00007F9D6D14BEB1h 0x0000001d popfd 0x0000001e call 00007F9D6D14BEB0h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50409CF second address: 5040A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 jmp 00007F9D6D5362A7h 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9D6D5362A5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040A07 second address: 5040A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040A0D second address: 5040A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040A11 second address: 5040ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007F9D6D14BEB4h 0x00000012 test esi, esi 0x00000014 jmp 00007F9D6D14BEB0h 0x00000019 je 00007F9DDF0317F0h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F9D6D14BEAEh 0x00000026 jmp 00007F9D6D14BEB5h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F9D6D14BEB0h 0x00000032 add eax, 24D16F58h 0x00000038 jmp 00007F9D6D14BEABh 0x0000003d popfd 0x0000003e popad 0x0000003f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000046 jmp 00007F9D6D14BEB6h 0x0000004b mov ecx, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F9D6D14BEB7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040ACC second address: 5040AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040AD2 second address: 5040AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040AD6 second address: 5040B3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F9DDF41BB52h 0x00000011 jmp 00007F9D6D5362A6h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F9D6D53629Eh 0x00000024 sub ch, FFFFFFA8h 0x00000027 jmp 00007F9D6D53629Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e movsx ebx, ax 0x00000031 pop esi 0x00000032 popad 0x00000033 jne 00007F9DDF41BB1Dh 0x00000039 pushad 0x0000003a mov dx, CAF0h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040B3E second address: 5040B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040B42 second address: 5040B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a pushad 0x0000000b mov ebx, 0D1EA452h 0x00000010 popad 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D6D53629Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040B61 second address: 5040BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 13h 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov edi, 48D058FEh 0x00000011 mov ax, dx 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F9D6D14BEB1h 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F9D6D14BEACh 0x00000023 add ax, 27F8h 0x00000028 jmp 00007F9D6D14BEABh 0x0000002d popfd 0x0000002e jmp 00007F9D6D14BEB8h 0x00000033 popad 0x00000034 push eax 0x00000035 jmp 00007F9D6D14BEABh 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e movsx edx, ax 0x00000041 pushfd 0x00000042 jmp 00007F9D6D14BEACh 0x00000047 or ecx, 4A308CB8h 0x0000004d jmp 00007F9D6D14BEABh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040BF4 second address: 5040BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040BFA second address: 5040C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D6D14BEB5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040C89 second address: 5040C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040C8E second address: 5040CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040CB0 second address: 5040CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040CB6 second address: 5040CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEADh 0x00000014 adc ah, 00000036h 0x00000017 jmp 00007F9D6D14BEB1h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5040CED second address: 5040D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5050BAF second address: 5050BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0998 second address: 50D09D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov bx, 3B5Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bx, C0A4h 0x00000014 pushfd 0x00000015 jmp 00007F9D6D53629Dh 0x0000001a add ecx, 28A13AE6h 0x00000020 jmp 00007F9D6D5362A1h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D09D3 second address: 50D09F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D6D14BEAEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D09F0 second address: 50D09F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D09F6 second address: 50D09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D09FA second address: 50D0A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F9D6D5362A9h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9D6D53629Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D001B second address: 50D001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D001F second address: 50D0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0025 second address: 50D006B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D14BEB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, B8h 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F9D6D14BEB5h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D006B second address: 50D0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0DB7 second address: 50C0E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F9D6D14BEB2h 0x0000000f jmp 00007F9D6D14BEB5h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9D6D14BEADh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E05 second address: 50C0E16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E16 second address: 50C0E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E1A second address: 50C0E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E35 second address: 50C0E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007F9D6D14BEABh 0x0000000c xor si, 883Eh 0x00000011 jmp 00007F9D6D14BEB9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F9D6D14BEAEh 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E80 second address: 50C0E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E84 second address: 50C0EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506026D second address: 506028A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 506028A second address: 50602D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEAAh 0x00000009 or ax, 3258h 0x0000000e jmp 00007F9D6D14BEABh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov esi, edi 0x0000001b mov eax, edi 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F9D6D14BEB6h 0x00000027 mov eax, 2AD94A01h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D01E5 second address: 50D020C instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 6EAE4F56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ecx 0x00000010 call 00007F9D6D5362A5h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D020C second address: 50D0212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0212 second address: 50D0216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0216 second address: 50D0297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F9D6D14BEB4h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov al, 09h 0x00000013 mov bh, 7Dh 0x00000015 popad 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 jmp 00007F9D6D14BEB2h 0x0000001e push dword ptr [ebp+08h] 0x00000021 jmp 00007F9D6D14BEB0h 0x00000026 call 00007F9D6D14BEA9h 0x0000002b jmp 00007F9D6D14BEB0h 0x00000030 push eax 0x00000031 jmp 00007F9D6D14BEABh 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov esi, 2582B861h 0x00000042 mov bl, ah 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0297 second address: 50D029E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, 3Fh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D029E second address: 50D02B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEADh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D02B6 second address: 50D02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D02C6 second address: 50D02CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0313 second address: 50D0319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0319 second address: 50D0350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEACh 0x00000015 sbb ecx, 0354E478h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50706DC second address: 50706E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50706E2 second address: 50706FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dl, E3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50706FA second address: 5070755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F9D6D5362A2h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F9D6D5362A0h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9D6D5362A7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070755 second address: 5070794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007F9D6D14BEAEh 0x00000010 call 00007F9D6D14BEA9h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a movsx edx, ax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070794 second address: 50707F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov ecx, 304D83B9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9D6D53629Fh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F9D6D5362A9h 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007F9D6D5362A1h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9D6D53629Ch 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50707F4 second address: 5070806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070806 second address: 5070853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F9D6D5362A6h 0x00000011 call 00007F9D6D536299h 0x00000016 jmp 00007F9D6D5362A0h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov esi, 0C9FCD73h 0x00000024 mov edi, eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070853 second address: 5070867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070867 second address: 50708C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D6D53629Ch 0x00000013 xor ecx, 3BD19BA8h 0x00000019 jmp 00007F9D6D53629Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F9D6D5362A8h 0x00000025 add ch, 00000008h 0x00000028 jmp 00007F9D6D53629Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov eax, dword ptr [eax] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov ecx, edi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50708C4 second address: 5070951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov bl, 30h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 mov si, 765Fh 0x00000014 popad 0x00000015 pop eax 0x00000016 pushad 0x00000017 mov ebx, eax 0x00000019 pushfd 0x0000001a jmp 00007F9D6D14BEACh 0x0000001f sbb al, FFFFFFC8h 0x00000022 jmp 00007F9D6D14BEABh 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr fs:[00000000h] 0x0000002f jmp 00007F9D6D14BEB6h 0x00000034 nop 0x00000035 pushad 0x00000036 mov esi, 6758917Dh 0x0000003b pushfd 0x0000003c jmp 00007F9D6D14BEAAh 0x00000041 and si, 8858h 0x00000046 jmp 00007F9D6D14BEABh 0x0000004b popfd 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F9D6D14BEB4h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070951 second address: 5070963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070963 second address: 50709B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9D6D14BEB6h 0x00000011 sub esp, 1Ch 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F9D6D14BEAEh 0x0000001b xor ax, 3778h 0x00000020 jmp 00007F9D6D14BEABh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov cl, 02h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50709B3 second address: 50709F4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9D6D53629Bh 0x00000008 xor ecx, 23EF5F3Eh 0x0000000e jmp 00007F9D6D5362A9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9D6D53629Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50709F4 second address: 50709FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50709FA second address: 5070A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A07 second address: 5070A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9D6D14BEB0h 0x0000000a and esi, 59E01698h 0x00000010 jmp 00007F9D6D14BEABh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F9D6D14BEB1h 0x00000020 jmp 00007F9D6D14BEB0h 0x00000025 popad 0x00000026 call 00007F9D6D14BEB2h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A69 second address: 5070AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 movzx eax, dx 0x0000000b pushfd 0x0000000c jmp 00007F9D6D53629Fh 0x00000011 sub cl, 0000001Eh 0x00000014 jmp 00007F9D6D5362A9h 0x00000019 popfd 0x0000001a popad 0x0000001b mov dword ptr [esp], esi 0x0000001e jmp 00007F9D6D53629Eh 0x00000023 xchg eax, edi 0x00000024 jmp 00007F9D6D5362A0h 0x00000029 push eax 0x0000002a jmp 00007F9D6D53629Bh 0x0000002f xchg eax, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F9D6D5362A5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070AE8 second address: 5070B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FBB370h] 0x0000000e jmp 00007F9D6D14BEAEh 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070B19 second address: 5070B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070B1D second address: 5070B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070B3A second address: 5070B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070B4A second address: 5070B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070B4E second address: 5070BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9D6D53629Ah 0x00000011 jmp 00007F9D6D5362A5h 0x00000016 popfd 0x00000017 jmp 00007F9D6D5362A0h 0x0000001c popad 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F9D6D5362A8h 0x00000027 and eax, 44255D88h 0x0000002d jmp 00007F9D6D53629Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070BBB second address: 5070C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bl, 1Dh 0x0000000d jmp 00007F9D6D14BEB8h 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 jmp 00007F9D6D14BEADh 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C0E second address: 5070C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C14 second address: 5070C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C18 second address: 5070C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e pushad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C2A second address: 5070C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d jmp 00007F9D6D14BEB3h 0x00000012 mov eax, dword ptr [esi+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C53 second address: 5070C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C57 second address: 5070C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C5D second address: 5070C86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D5362A7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070C86 second address: 5070D43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F9DDEF9AF27h 0x0000000f jmp 00007F9D6D14BEAEh 0x00000014 sub eax, eax 0x00000016 jmp 00007F9D6D14BEB1h 0x0000001b mov dword ptr [ebp-20h], eax 0x0000001e jmp 00007F9D6D14BEAEh 0x00000023 mov ebx, dword ptr [esi] 0x00000025 jmp 00007F9D6D14BEB0h 0x0000002a mov dword ptr [ebp-24h], ebx 0x0000002d jmp 00007F9D6D14BEB0h 0x00000032 test ebx, ebx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F9D6D14BEAEh 0x0000003b adc ah, 00000018h 0x0000003e jmp 00007F9D6D14BEABh 0x00000043 popfd 0x00000044 mov edx, ecx 0x00000046 popad 0x00000047 je 00007F9DDEF9ADFFh 0x0000004d jmp 00007F9D6D14BEB2h 0x00000052 cmp ebx, FFFFFFFFh 0x00000055 pushad 0x00000056 push esi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070D43 second address: 50706DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 jmp 00007F9DDF3851C8h 0x0000000b jne 00007F9D6D5362B9h 0x0000000d xor ecx, ecx 0x0000000f mov dword ptr [esi], ecx 0x00000011 mov dword ptr [esi+04h], ecx 0x00000014 mov dword ptr [esi+08h], ecx 0x00000017 mov dword ptr [esi+0Ch], ecx 0x0000001a mov dword ptr [esi+10h], ecx 0x0000001d mov dword ptr [esi+14h], ecx 0x00000020 mov ecx, dword ptr [ebp-10h] 0x00000023 mov dword ptr fs:[00000000h], ecx 0x0000002a pop ecx 0x0000002b pop edi 0x0000002c pop esi 0x0000002d pop ebx 0x0000002e mov esp, ebp 0x00000030 pop ebp 0x00000031 retn 0004h 0x00000034 nop 0x00000035 pop ebp 0x00000036 ret 0x00000037 add esi, 18h 0x0000003a pop ecx 0x0000003b cmp esi, 008F56A8h 0x00000041 jne 00007F9D6D536280h 0x00000043 push esi 0x00000044 call 00007F9D6D536B03h 0x00000049 push ebp 0x0000004a mov ebp, esp 0x0000004c push dword ptr [ebp+08h] 0x0000004f call 00007F9D71CF9995h 0x00000054 mov edi, edi 0x00000056 jmp 00007F9D6D5362A0h 0x0000005b xchg eax, ebp 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F9D6D53629Ah 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070266 second address: 5070276 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070276 second address: 507027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 507027A second address: 507028D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8FED70 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AA892E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8FEDA7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B22E5A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C6ED70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E1892E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C6EDA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E92E5A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 13DFD89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 13DFC7A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 1587220 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 15B0590 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 1599C30 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Special instruction interceptor: First address: 1613B04 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 81C8E5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 81C963 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 9BB04F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 9B9B37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 9B9779 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: 81C8D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Special instruction interceptor: First address: A489CD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Special instruction interceptor: First address: BD7F4A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Special instruction interceptor: First address: BD76DD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Special instruction interceptor: First address: D785D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Special instruction interceptor: First address: BD559E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Special instruction interceptor: First address: DA46A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Special instruction interceptor: First address: 2EFBD2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Special instruction interceptor: First address: 4BCB1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Special instruction interceptor: First address: 4A6972 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Special instruction interceptor: First address: 51CFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Special instruction interceptor: First address: 2FDB0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Special instruction interceptor: First address: 495587 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Special instruction interceptor: First address: 4AB42D instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: 2310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: 2530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: 2350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Memory allocated: 4AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Memory allocated: 4D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Memory allocated: 4C50000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\VBoxSF.sys
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\vmhgfs.sys
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\vmmouse.sys
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\VBoxGuest.sys
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\VBoxVideo.sys
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\Public\Netstat\taskhostw.exe File opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_050D026C rdtsc 0_2_050D026C
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 561 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1155 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1192 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1155 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1211
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1175
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1280
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1141
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1107
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1290
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1257
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Window / User API: threadDelayed 1257
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window / User API: threadDelayed 1248
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window / User API: threadDelayed 1255
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Window / User API: threadDelayed 1256
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Window / User API: threadDelayed 2467
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1900 Thread sleep count: 561 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1900 Thread sleep time: -1122561s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5688 Thread sleep count: 1155 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5688 Thread sleep time: -2311155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1344 Thread sleep count: 255 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1344 Thread sleep time: -7650000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5064 Thread sleep count: 1192 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5064 Thread sleep time: -2385192s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1704 Thread sleep count: 1155 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1704 Thread sleep time: -2311155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe TID: 7632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7656 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 3140 Thread sleep time: -2423211s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2080 Thread sleep time: -2351175s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 5500 Thread sleep time: -2561280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2120 Thread sleep time: -2283141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 4048 Thread sleep time: -2215107s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 3428 Thread sleep time: -2581290s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 344 Thread sleep time: -2515257s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2596 Thread sleep time: -2515257s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2708 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6716 Thread sleep count: 65 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6716 Thread sleep time: -130065s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340 Thread sleep count: 110 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340 Thread sleep count: 136 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340 Thread sleep count: 176 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340 Thread sleep count: 202 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6480 Thread sleep count: 1248 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6480 Thread sleep time: -2497248s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340 Thread sleep count: 80 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6496 Thread sleep count: 1255 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6496 Thread sleep time: -2511255s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6584 Thread sleep count: 1256 > 30
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6584 Thread sleep time: -2513256s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 7964 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7628 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7628 Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7576 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7576 Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7620 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7620 Thread sleep time: -72036s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7560 Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7560 Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5800 Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7708 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7708 Thread sleep time: -68034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7700 Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7700 Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7632 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7632 Thread sleep time: -80040s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7624 Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7624 Thread sleep time: -84042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 5348 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 2060 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 7876 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3496 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3052 Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3496 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 8004 Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 8004 Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 1340 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5160 Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8160 Thread sleep count: 250 > 30
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8160 Thread sleep time: -1500000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5184 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5076 Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8180 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe TID: 6748 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 4572 Thread sleep count: 2467 > 30
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 4572 Thread sleep count: 57 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber, Name FROM Win32_BIOS
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID, IdentifyingNumber, Name FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId, Name, SerialNumber FROM WIN32_PROCESSOR
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Thread sleep count: Count: 2467 delay: -10
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmp, e7a505b613.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E463B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Windows\System32\drivers\VBoxSF.sys
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 0KGPkVX.exe, 00000007.00000003.2686594043.00000199E49A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ["vmci.
Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E463B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Windows\System32\drivers\vmhgfs.sys
Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E4589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}}
Source: c12cb864c6.exe, 0000002D.00000003.2776379609.0000000002032000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E4589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {"cmd": "system_info", "data": {"is_admin": true, "IP": "8.46.123.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}} r4
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3037835051.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: file.exe, 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E4589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}} r4
Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E4589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {"cmd": "system_info", "data": {"is_admin": true, "IP": "8.46.123.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}}
Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E463B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Windows\System32\drivers\vmmouse.sysO
Source: c12cb864c6.exe, 0000002D.00000003.2780938395.00000000072D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe System information queried: KernelDebuggerInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_050D026C rdtsc 0_2_050D026C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C391E62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C391E62
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C652B mov eax, dword ptr fs:[00000030h] 0_2_008C652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008CA302 mov eax, dword ptr fs:[00000030h] 0_2_008CA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C3A302 mov eax, dword ptr fs:[00000030h] 1_2_00C3A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00C3652B mov eax, dword ptr fs:[00000030h] 1_2_00C3652B
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C395C81 mov eax, dword ptr fs:[00000030h] 8_2_6C395C81
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C394A42 mov eax, dword ptr fs:[00000030h] 8_2_6C394A42
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C391937 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6C391937
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C391E62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C391E62
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C39435C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C39435C
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: rapeflowwj.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: crosshuaht.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: sustainskelet.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: aspecteirs.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: energyaffai.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: necklacebudi.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: discokeyus.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: grannyejh.lat
Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: sweepyribs.lat
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C7E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C81000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C91000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C92000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C7E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C81000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C91000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C92000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2436008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: unknown unknown
Source: C:\Users\Public\Netstat\taskhostw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: file.exe, 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 9=Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Code function: 8_2_6C392038 cpuid 8_2_6C392038
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019390001\fefd39b33e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019390001\fefd39b33e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019391001\a7b199a02f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019391001\a7b199a02f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019392001\1e89408d66.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019392001\1e89408d66.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019393001\7d2e166a3a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019393001\7d2e166a3a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019394001\417733cd59.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019394001\417733cd59.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019395001\6f56e47528.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019395001\6f56e47528.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019396001\6e8fe4238e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019396001\6e8fe4238e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019397001\2e999888fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019397001\2e999888fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019398001\e00c1dd1b5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019398001\e00c1dd1b5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019399001\16e3a15664.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019399001\16e3a15664.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Windows\System32\drivers\vmci.sys VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OptimizationGuidePredictionModels VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\Public VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\Public\Netstat\taskhostw.exe Queries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008ACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_008ACBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: aspnet_regiis.exe, 0000000A.00000003.2870701783.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2885987436.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2872129810.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2900034652.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000047.00000003.3027432883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertyicgx
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3_w
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\8pecxstudios\Cyberfox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\Public\Netstat\taskhostw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2726047574.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2724742164.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2727851900.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2725469085.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2726296508.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2872775779.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2726799865.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2728097001.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2725233317.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2872129810.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2724446404.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2728337687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2726544967.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2728624365.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000047.00000003.3027432883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579298 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 142 Antivirus detection for dropped file 2->142 144 Antivirus / Scanner detection for submitted sample 2->144 146 Multi AV Scanner detection for dropped file 2->146 148 12 other signatures 2->148 10 skotes.exe 4 82 2->10         started        15 file.exe 5 2->15         started        17 e7a505b613.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 136 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->136 138 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->138 140 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 10->140 102 C:\Users\user\AppData\...\8ccec30e2a.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\acfd211374.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\...\9d3c5f87fc.exe, PE32 10->106 dropped 112 15 other malicious files 10->112 dropped 190 Creates multiple autostart registry keys 10->190 192 Hides threads from debuggers 10->192 194 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->194 21 df1fc80896.exe 10->21         started        25 0KGPkVX.exe 20 2 10->25         started        28 acfd211374.exe 10->28         started        32 5 other processes 10->32 108 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->108 dropped 110 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->110 dropped 196 Detected unpacking (changes PE section rights) 15->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->198 200 Tries to evade debugger and weak emulator (self modifying code) 15->200 202 Tries to detect virtualization through RDTSC time measurements 15->202 30 skotes.exe 15->30         started        204 Query firmware table information (likely to detect VMs) 17->204 206 Tries to harvest and steal ftp login credentials 17->206 208 Tries to harvest and steal browser information (history, passwords, etc) 17->208 210 Tries to steal Crypto Currency Wallets 17->210 212 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->212 file5 signatures6 process7 dnsIp8 124 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->124 126 127.0.0.1 unknown unknown 21->126 150 Antivirus detection for dropped file 21->150 152 Attempt to bypass Chrome Application-Bound Encryption 21->152 154 Tries to steal Mail credentials (via file / registry access) 21->154 170 8 other signatures 21->170 34 chrome.exe 21->34         started        128 216.107.136.194 KVCNET-2009US United States 25->128 98 C:\Users\Public98etstat\taskhostw.exe, PE32+ 25->98 dropped 156 Machine Learning detection for dropped file 25->156 37 cmd.exe 25->37         started        39 cmd.exe 25->39         started        42 cmd.exe 25->42         started        50 13 other processes 25->50 158 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->158 160 Modifies windows update settings 28->160 172 3 other signatures 28->172 162 Multi AV Scanner detection for dropped file 30->162 164 Detected unpacking (changes PE section rights) 30->164 166 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 30->166 130 185.156.73.23 RELDAS-NETRU Russian Federation 32->130 132 185.121.15.192 REDSERVICIOES Spain 32->132 134 2 other IPs or domains 32->134 100 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 32->100 dropped 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->168 174 4 other signatures 32->174 44 aspnet_regiis.exe 32->44         started        46 taskkill.exe 32->46         started        48 conhost.exe 32->48         started        file9 signatures10 process11 dnsIp12 114 239.255.255.250 unknown Reserved 34->114 52 chrome.exe 34->52         started        55 taskhostw.exe 37->55         started        58 conhost.exe 37->58         started        176 Uses cmd line tools excessively to alter registry or file data 39->176 60 reg.exe 39->60         started        62 conhost.exe 39->62         started        64 conhost.exe 42->64         started        66 tasklist.exe 42->66         started        116 172.67.197.170 CLOUDFLARENETUS United States 44->116 178 Query firmware table information (likely to detect VMs) 44->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 44->180 182 Tries to steal Crypto Currency Wallets 44->182 68 conhost.exe 46->68         started        70 24 other processes 50->70 signatures13 process14 dnsIp15 118 142.250.181.99 GOOGLEUS United States 52->118 120 172.217.17.78 GOOGLEUS United States 52->120 122 2 other IPs or domains 52->122 184 Machine Learning detection for dropped file 55->184 186 Tries to harvest and steal browser information (history, passwords, etc) 55->186 72 cmd.exe 55->72         started        74 cmd.exe 55->74         started        76 cmd.exe 55->76         started        78 2 other processes 55->78 188 Creates multiple autostart registry keys 60->188 signatures16 process17 process18 80 conhost.exe 72->80         started        82 tasklist.exe 72->82         started        84 conhost.exe 74->84         started        86 tasklist.exe 74->86         started        88 conhost.exe 76->88         started        90 tasklist.exe 76->90         started        92 conhost.exe 78->92         started        94 tasklist.exe 78->94         started        96 2 other processes 78->96
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.121.15.192
 unknown Spain
207046 REDSERVICIOES false
172.217.19.228
 unknown United States
15169 GOOGLEUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
172.217.17.78
 unknown United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.226.108.155
 unknown United States
14618 AMAZON-AESUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.156.73.23
 unknown Russian Federation
48817 RELDAS-NETRU false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
64.233.162.84
 unknown United States
15169 GOOGLEUS false
142.250.181.99
 unknown United States
15169 GOOGLEUS false
216.107.136.194
 unknown United States
395111 KVCNET-2009US false
172.67.197.170
 unknown United States
13335 CLOUDFLARENETUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1