Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1579322
MD5: 1790b57cfe11d52a447cb53b7632e0d9
SHA1: 3e4eb8d73efbe3ba55fbb61c8a0cfda695e302ef
SHA256: 09b5590de6b345c0c942426b23309b24e5504a692f408a8353de5fbf38986761
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops large PE files
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
Source: 00000002.00000002.1775834203.00000000000C1000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 03f60c0f6e.exe.2688.9.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "sustainskelet.lat", "energyaffai.lat", "discokeyus.lat", "necklacebudi.lat", "crosshuaht.lat", "treehoneyi.click", "grannyejh.lat", "aspecteirs.lat"], "Build id": "rAGxSF--load"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_58484496-1
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000000.2753701164.0000024720CF2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000000.2753701164.0000024720CF2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: number of queries: 2002
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: treehoneyi.click
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199809363512
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.121.15.192 185.121.15.192
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0026E0C0 recv,recv,recv,recv, 0_2_0026E0C0
Source: chrome.exe, 00000018.00000002.3127171664.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3136900895.000049E800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3136807304.000049E800F94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000018.00000002.3127171664.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3136900895.000049E800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3136807304.000049E800F94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: fde7a493e9.exe, 00000015.00000003.3612313289.0000000005761000.00000004.00000020.00020000.00000000.sdmp, fde7a493e9.exe, 00000015.00000003.3555800796.0000000005761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.73.23/files/download
Source: fde7a493e9.exe, 00000015.00000003.3612313289.0000000005761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.73.23/files/downloadso
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970I
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078z28
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133306125.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2917773681.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133306125.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2917773681.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133306125.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2917773681.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384I
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375z28
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876z28
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130578209.000049E80080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370un
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000018.00000002.3129294718.000049E80066C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: powershell.exe, 0000000C.00000002.2628377954.0000000008981000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2614280806.0000000003183000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.2623443031.0000000007A1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microI
Source: powershell.exe, 0000000F.00000002.2677636618.0000000008842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft/
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722FEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024723084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreLogo.Light.png
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247231D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/Theme/Light.xaml
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247231D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/app.Light.ico
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247230E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://e12564.dspb.akamaiedge.net
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722FEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/StoreAppList.Light.png
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024723084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/StoreLogo.Light.png
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247231D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/app.Light.ico
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247231D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/app.light.ico
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722FEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/storeapplist.light.png
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024723084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/storelogo.light.png
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.comd
Source: chrome.exe, 00000018.00000002.3125362195.000049E800050000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
Source: 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 0000000C.00000002.2619196230.0000000005F05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2669221073.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000000F.00000002.2653782598.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.comd
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsI
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.000002472329E000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.000002472329E000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.000002472329E000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/StoreInstaller.Models
Source: powershell.exe, 0000000C.00000002.2616123137.0000000004FF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2653782598.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2616123137.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2653782598.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.00000247230C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2616123137.0000000004FF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2653782598.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: 906ea9c047.exe, 0000001A.00000000.2912418039.0000000000423000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: powershell.exe, 0000000F.00000002.2653782598.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chrome.exe, 00000018.00000002.3131958838.000049E800A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.000002472329E000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2832161094.0000024722F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.oh
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 03f60c0f6e.exe, 00000009.00000003.2716293262.0000000003734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000018.00000002.3125556527.000049E8000A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000018.00000002.3132072573.000049E800A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000018.00000002.3132072573.000049E800A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardI
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000018.00000002.3125475153.000049E800078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000018.00000002.3125475153.000049E800078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000018.00000002.3125475153.000049E800078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000018.00000002.3125556527.000049E8000A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: powershell.exe, 0000000C.00000002.2616123137.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2653782598.0000000004D61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127721393.000049E800450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000018.00000003.2911814977.000049E800828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911004005.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129875527.000049E800734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actionsI
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icoue
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000018.00000002.3129128916.000049E800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000018.00000003.2919087349.000049E800D34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000018.00000002.3129245712.000049E80065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000018.00000002.3131284224.000049E800924000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131958838.000049E800A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000018.00000003.2912689275.000049E800D34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2918259276.000049E800D34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2912581777.000049E800CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2917663364.000049E800CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133855353.000049E800CE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2919087349.000049E800D34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000018.00000002.3125319787.000049E80001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000018.00000002.3133645829.000049E800C94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000018.00000003.2874135011.00003B78002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000018.00000002.3129938097.000049E80075B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129404925.000049E80069C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3125319787.000049E80001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126142790.000049E8001A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129563506.000049E8006D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000018.00000002.3125556527.000049E8000A7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3132575172.000049E800B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bI
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000018.00000002.3129875527.000049E800734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000018.00000002.3129294718.000049E80066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 0000000F.00000002.2669221073.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.2669221073.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.2669221073.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000018.00000002.3126541904.000049E8002A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/368855.)
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129875527.000049E800734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129875527.000049E800734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: 03f60c0f6e.exe, 00000009.00000003.2581874523.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000000.2516420358.0000000000C4F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000018.00000003.2895383080.000049E800444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000018.00000002.3127252065.000049E8003A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000018.00000002.3131455883.000049E800980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000018.00000002.3131455883.000049E800980000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2773392925.0000017EE2D94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: powershell.exe, 0000000F.00000002.2653782598.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2755889265.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002A89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe
Source: c534667f0b.exe, 0000000A.00000002.2755889265.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe1
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000018.00000002.3125285263.000049E80000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000018.00000002.3129245712.000049E80065C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ip
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000018.00000003.2911756573.000049E800380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000018.00000002.3139075959.0000669400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000018.00000002.3140598075.0000669400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131958838.000049E800A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3139075959.0000669400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000018.00000002.3139075959.0000669400238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardf
Source: chrome.exe, 00000018.00000002.3140598075.0000669400770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131958838.000049E800A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000018.00000002.3140935745.000066940080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880483809.0000669400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000018.00000003.2882269414.00006694006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000018.00000003.2880801644.000066940039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000018.00000002.3140716706.000066940078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000018.00000002.3140556575.0000669400744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000018.00000002.3126919401.000049E800330000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2894296430.000049E8001E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000018.00000002.3127252065.000049E8003A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129875527.000049E800734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000018.00000002.3130311422.000049E8007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000018.00000002.3130311422.000049E8007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneI
Source: chrome.exe, 00000018.00000002.3130311422.000049E8007AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000018.00000002.3131793818.000049E800A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 0000000C.00000002.2619196230.0000000005F05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2669221073.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2D62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000014.00000003.2773392925.0000017EE2CF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: chrome.exe, 00000018.00000002.3135172453.000049E800E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000018.00000002.3135172453.000049E800E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135893971.000049E800E88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2918012912.000049E8006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000018.00000002.3135172453.000049E800E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000018.00000003.2918012912.000049E8006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000018.00000003.2918012912.000049E8006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000018.00000002.3135172453.000049E800E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135893971.000049E800E88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2918012912.000049E8006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000018.00000002.3135172453.000049E800E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2918012912.000049E8006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135855157.000049E800E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133363118.000049E800C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135611866.000049E800E6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000018.00000002.3131793818.000049E800A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000018.00000002.3131793818.000049E800A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/biyjdfjadaw.exe
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/ktyihkdfesf.exe
Source: c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.comD
Source: chrome.exe, 00000018.00000002.3125556527.000049E8000A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000018.00000002.3125437484.000049E800058000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130414749.000049E8007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3130472970.000049E8007DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000000.2752978754.0000000000423000.00000008.00000001.01000000.00000010.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000000.2752978754.0000000000423000.00000008.00000001.01000000.00000010.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: 03f60c0f6e.exe, 00000009.00000003.2668041733.0000000003E8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 03f60c0f6e.exe, 00000009.00000003.2668407543.0000000003E86000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2668041733.0000000003E8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 03f60c0f6e.exe, 00000009.00000003.2668407543.0000000003E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 03f60c0f6e.exe, 00000009.00000003.2668407543.0000000003E86000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2668041733.0000000003E8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 03f60c0f6e.exe, 00000009.00000003.2668407543.0000000003E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2759569441.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2776478403.0000000000875000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2776221291.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000000.2752978754.0000000000423000.00000008.00000001.01000000.00000010.sdmp String found in binary or memory: https://t.me/k04ael
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000000.2752978754.0000000000423000.00000008.00000001.01000000.00000010.sdmp String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: chrome.exe, 00000018.00000002.3131958838.000049E800A40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2776221291.0000000000868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2879001082.000000000086D000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2830010420.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2853234521.000000000086D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2830010420.000000000086F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/=
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/?
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2879001082.000000000086D000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2830010420.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2853234521.000000000086D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/O
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2879001082.000000000086D000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2830010420.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2853234521.000000000086D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/a
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/b
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2806760077.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2879001082.000000000086D000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2853234521.000000000086D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/m
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2906038210.000000000086E000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2879001082.000000000086D000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2830010420.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2853234521.000000000086D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/w
Source: 03f60c0f6e.exe, 00000009.00000003.2745554337.00000000036CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/
Source: 03f60c0f6e.exe, 00000009.00000003.2692939646.0000000003709000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2715240604.0000000003709000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2691639207.0000000003708000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2692726320.0000000003709000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2690863144.0000000003708000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2744173518.0000000003700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/FqE=
Source: 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2775612086.00000000036F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/V
Source: 03f60c0f6e.exe, 03f60c0f6e.exe, 00000009.00000003.2750553075.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2745554337.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000002.2858415028.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2715417561.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2750254218.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000002.2858415028.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2715417561.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api
Source: 03f60c0f6e.exe, 00000009.00000003.2750553075.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2745554337.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2750254218.00000000036F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api.z&s)
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/apiX
Source: 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000002.2858415028.00000000036E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/apibu
Source: 03f60c0f6e.exe, 00000009.00000003.2715417561.00000000036F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/apint
Source: 03f60c0f6e.exe, 00000009.00000003.2715417561.00000000036F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/indoN
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.00000000036E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/nr
Source: 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2775612086.00000000036F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/s
Source: 03f60c0f6e.exe, 00000009.00000003.2800282585.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2690863144.0000000003708000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click:443/api
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000003.2776478403.0000000000875000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: chrome.exe, 00000018.00000002.3131396696.000049E800960000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ww.google.com/
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133067662.000049E800BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000018.00000002.3133243949.000049E800C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: 03f60c0f6e.exe, 00000009.00000003.2718485144.00000000036FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: chrome.exe, 00000018.00000002.3131565199.000049E8009B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3129820217.000049E800718000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000018.00000003.2919087349.000049E800D34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3135008942.000049E800DF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000018.00000002.3130578209.000049E80080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131396696.000049E800960000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000018.00000002.3126291628.000049E8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3131396696.000049E800960000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000018.00000002.3135429217.000049E800E40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: 03f60c0f6e.exe, 00000009.00000003.2667307921.0000000003E61000.00000004.00000800.00020000.00000000.sdmp, 03f60c0f6e.exe, 00000009.00000003.2667431694.0000000003742000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3128137037.000049E8004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3133306125.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.2917773681.000049E800C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3128689965.000049E8005D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000018.00000002.3128689965.000049E8005D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsightsI
Source: chrome.exe, 00000018.00000002.3126541904.000049E8002A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000018.00000002.3132014581.000049E800A58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000018.00000002.3128641256.000049E8005C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000018.00000002.3133417982.000049E800C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3126372097.000049E80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000018.00000002.3127828791.000049E80047C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 03f60c0f6e.exe, 00000009.00000003.2717527566.0000000004082000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000018.00000002.3126692645.000049E8002D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

System Summary
barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File dump: service123.exe.7.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[3].exe.6.dr Static PE information: section name:
Source: random[3].exe.6.dr Static PE information: section name: .idata
Source: random[3].exe.6.dr Static PE information: section name:
Source: 17e7d05a4e.exe.6.dr Static PE information: section name:
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: .idata
Source: 17e7d05a4e.exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 0016128732.exe.6.dr Static PE information: section name:
Source: 0016128732.exe.6.dr Static PE information: section name: .idata
Source: 0016128732.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: 48a114f480.exe.6.dr Static PE information: section name:
Source: 48a114f480.exe.6.dr Static PE information: section name: .idata
Source: 48a114f480.exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: fde7a493e9.exe.6.dr Static PE information: section name:
Source: fde7a493e9.exe.6.dr Static PE information: section name: .idata
Source: fde7a493e9.exe.6.dr Static PE information: section name:
Source: random[2].exe1.6.dr Static PE information: section name:
Source: random[2].exe1.6.dr Static PE information: section name: .idata
Source: random[2].exe1.6.dr Static PE information: section name:
Source: 98d75c3c44.exe.6.dr Static PE information: section name:
Source: 98d75c3c44.exe.6.dr Static PE information: section name: .idata
Source: 98d75c3c44.exe.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name: .idata
Source: fa82de29a9.exe.6.dr Static PE information: section name:
Source: fa82de29a9.exe.6.dr Static PE information: section name: .idata
Source: random[3].exe1.6.dr Static PE information: section name:
Source: random[3].exe1.6.dr Static PE information: section name: .idata
Source: 3c08a943ba.exe.6.dr Static PE information: section name:
Source: 3c08a943ba.exe.6.dr Static PE information: section name: .idata
PE file has a writeable .text section
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A8860 0_2_002A8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A7049 0_2_002A7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A78BB 0_2_002A78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A31A8 0_2_002A31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00264B30 0_2_00264B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A2D10 0_2_002A2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00264DE0 0_2_00264DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00297F36 0_2_00297F36
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002A779B 0_2_002A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00107049 1_2_00107049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00108860 1_2_00108860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001078BB 1_2_001078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001031A8 1_2_001031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000C4B30 1_2_000C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00102D10 1_2_00102D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000C4DE0 1_2_000C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000F7F36 1_2_000F7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0010779B 1_2_0010779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00107049 2_2_00107049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00108860 2_2_00108860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_001078BB 2_2_001078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_001031A8 2_2_001031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000C4B30 2_2_000C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00102D10 2_2_00102D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000C4DE0 2_2_000C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000F7F36 2_2_000F7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0010779B 2_2_0010779B
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 002780C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 000DDF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 000D80C0 appears 260 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: random[3].exe.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: random[3].exe.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: 17e7d05a4e.exe.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: 17e7d05a4e.exe.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: random[1].exe.6.dr Static PE information: Section: gzrpzaat ZLIB complexity 0.9942267842090475
Source: 0016128732.exe.6.dr Static PE information: Section: gzrpzaat ZLIB complexity 0.9942267842090475
Source: random[1].exe2.6.dr Static PE information: Section: wfipzyes ZLIB complexity 0.9943886664944903
Source: 48a114f480.exe.6.dr Static PE information: Section: wfipzyes ZLIB complexity 0.9943886664944903
Source: random[2].exe.6.dr Static PE information: Section: vqihsser ZLIB complexity 0.9901594543006786
Source: fde7a493e9.exe.6.dr Static PE information: Section: vqihsser ZLIB complexity 0.9901594543006786
Source: random[4].exe0.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[4].exe0.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: 6253581e35.exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: 6253581e35.exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[2].exe1.6.dr Static PE information: Section: ZLIB complexity 0.9973779965753424
Source: random[2].exe1.6.dr Static PE information: Section: bdbisbrv ZLIB complexity 0.99442253159257
Source: 98d75c3c44.exe.6.dr Static PE information: Section: ZLIB complexity 0.9973779965753424
Source: 98d75c3c44.exe.6.dr Static PE information: Section: bdbisbrv ZLIB complexity 0.99442253159257
Source: random[3].exe1.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 3c08a943ba.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: fde7a493e9.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 98d75c3c44.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe1.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: c534667f0b.exe.6.dr, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: c534667f0b.exe.6.dr, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: random[1].exe1.6.dr, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: random[1].exe1.6.dr, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@146/120@0/29
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Mutant created: \Sessions\1\BaseNamedObjects\FloppyShip
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{f6bec8ba-58ff-4dfc-9981-2ec5ebd23734}-9MSZ40SLW145
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe System information queried: HandleInformation
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 03f60c0f6e.exe, 00000009.00000003.2668230562.0000000003711000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe Virustotal: Detection: 58%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 03f60c0f6e.exe String found in binary or memory: p.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856); user_pref("app.update.lastUpdateTime.xpi-signature-v
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe "C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe "C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe "C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\dciqrtt"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe "C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe "C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe "C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe "C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe"
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=2452,i,6832538450347870675,15529709356732568208,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe "C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=2088,i,14124230610741043506,9399832751077093261,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe "C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2452,i,3932887190901628609,13787986242964853943,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe "C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2464,i,17310931600461636883,12711239818056080546,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe "C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe "C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2600,i,3487772156772132519,12680347466969316362,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe "C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe "C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe "C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2264,i,442136233029730373,2572777427305726788,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe "C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe "C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe "C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe "C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe "C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe "C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe "C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe "C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe "C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe "C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe "C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe "C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\dciqrtt"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe "C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe "C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=2452,i,6832538450347870675,15529709356732568208,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=2088,i,14124230610741043506,9399832751077093261,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2452,i,3932887190901628609,13787986242964853943,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2464,i,17310931600461636883,12711239818056080546,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2600,i,3487772156772132519,12680347466969316362,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2264,i,442136233029730373,2572777427305726788,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Section loaded: kernel.appcore.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: apphelp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: sspicli.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: wininet.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: rstrtmgr.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ncrypt.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ntasn1.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: dbghelp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: iertutil.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: windows.storage.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: wldp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: profapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: kernel.appcore.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: winhttp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: mswsock.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: iphlpapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: winnsi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: urlmon.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: srvcli.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: netutils.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: dnsapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: rasadhlp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: fwpuclnt.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: schannel.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: mskeyprotect.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: msasn1.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: dpapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: cryptsp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: rsaenh.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: cryptbase.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: gpapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ncryptsslp.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ntmarta.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: uxtheme.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: windowscodecs.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: propsys.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: ntshrui.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: cscapi.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: windows.staterepositoryps.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: linkinfo.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: edputil.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: wintypes.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: appresolver.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: bcp47langs.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: slc.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: userenv.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: sppc.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: onecorecommonproxystub.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: pcacli.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: mpr.dll
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Section loaded: sfc_os.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mscoree.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: kernel.appcore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: version.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: uxtheme.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: cryptsp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: rsaenh.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: cryptbase.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dwrite.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: msvcp140_clr0400.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.storage.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wldp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: profapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.applicationmodel.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: twinapi.appcore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wintypes.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.globalization.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: bcp47langs.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: bcp47mrm.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dwmapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: d3d9.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: d3d10warp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: urlmon.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: iertutil.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: srvcli.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: netutils.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windowscodecs.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: msasn1.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: msisip.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wshext.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: appxsip.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: opcservices.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: esdsip.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ncrypt.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ntasn1.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ncrypt.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ntasn1.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ncryptprov.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wtsapi32.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: winsta.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: powrprof.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: umpdc.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dataexchange.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: d3d11.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dcomp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dxgi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: resourcepolicyclient.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: textshaping.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dxcore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: winmm.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: textinputframework.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: coreuicomponents.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: coremessaging.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ntmarta.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: coremessaging.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: msctfui.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.web.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: uiautomationcore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: propsys.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: d3dcompiler_47.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wininet.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: sspicli.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: rasapi32.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: rasman.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: rtutils.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mswsock.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: winhttp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: iphlpapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dhcpcsvc6.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dhcpcsvc.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: winnsi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: dnsapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: rasadhlp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: fwpuclnt.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: secur32.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: schannel.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mskeyprotect.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ncryptsslp.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: gpapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mscms.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: userenv.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: coloradapterclient.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windowscodecsext.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: installservice.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mpr.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: slc.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: sppc.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: ieframe.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: netapi32.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: wkscli.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.staterepositoryps.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: edputil.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mlang.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: policymanager.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: msvcp110_win.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: twinui.appcore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: execmodelproxy.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: mrmcorer.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.staterepositorycore.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windows.ui.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: windowmanagementapi.dll
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Section loaded: inputhost.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: file.exe Static file information: File size 3269120 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: file.exe Static PE information: Raw size of ifzwduwo is bigger than: 0x100000 < 0x2b2400
Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000000.2753701164.0000024720CF2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: c534667f0b.exe, 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000000.2753701164.0000024720CF2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: c534667f0b.exe, 0000000A.00000000.2569293502.0000000000682000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.260000.0.unpack :EW;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ifzwduwo:EW;kyfineaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Unpacked PE file: 17.2.48a114f480.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wfipzyes:EW;apfxvsxz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wfipzyes:EW;apfxvsxz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Unpacked PE file: 48.2.3c08a943ba.exe.350000.0.unpack :EW;.rsrc:W;.idata :W;dkxxriqm:EW;lwvdqzfy:EW;.taggant:EW; vs :ER;.rsrc:W;
Binary contains a suspicious time stamp
Source: random[1].exe1.6.dr Static PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x453c80 should be: 0x448b2d
Source: random[4].exe0.6.dr Static PE information: real checksum: 0x0 should be: 0xc8597
Source: 0016128732.exe.6.dr Static PE information: real checksum: 0x453c80 should be: 0x448b2d
Source: random[3].exe1.6.dr Static PE information: real checksum: 0x2b7503 should be: 0x2b6958
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x454cda should be: 0x45a0f8
Source: 3c08a943ba.exe.6.dr Static PE information: real checksum: 0x2b7503 should be: 0x2b6958
Source: 17e7d05a4e.exe.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: fa82de29a9.exe.6.dr Static PE information: real checksum: 0x2cc61c should be: 0x2d30ea
Source: ec04af5574.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe.10.dr Static PE information: real checksum: 0x10c5c5 should be: 0x10b49f
Source: random[3].exe.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: skotes.exe.0.dr Static PE information: real checksum: 0x31f402 should be: 0x31ec4e
Source: ebd07c8db5.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[2].exe2.6.dr Static PE information: real checksum: 0x2cc61c should be: 0x2d30ea
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: fde7a493e9.exe.6.dr Static PE information: real checksum: 0x1e164c should be: 0x1e3321
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x0 should be: 0x14b59
Source: 48a114f480.exe.6.dr Static PE information: real checksum: 0x454cda should be: 0x45a0f8
Source: random[4].exe1.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: c534667f0b.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x14b59
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x243ba
Source: 6253581e35.exe.6.dr Static PE information: real checksum: 0x0 should be: 0xc8597
Source: 98d75c3c44.exe.6.dr Static PE information: real checksum: 0x1cc347 should be: 0x1d18e0
Source: random[4].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[2].exe1.6.dr Static PE information: real checksum: 0x1cc347 should be: 0x1d18e0
Source: file.exe Static PE information: real checksum: 0x31f402 should be: 0x31ec4e
Source: 03f60c0f6e.exe.6.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: random[2].exe.6.dr Static PE information: real checksum: 0x1e164c should be: 0x1e3321
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: ifzwduwo
Source: file.exe Static PE information: section name: kyfineaz
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: ifzwduwo
Source: skotes.exe.0.dr Static PE information: section name: kyfineaz
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[3].exe.6.dr Static PE information: section name:
Source: random[3].exe.6.dr Static PE information: section name: .idata
Source: random[3].exe.6.dr Static PE information: section name:
Source: random[3].exe.6.dr Static PE information: section name: wekcazbo
Source: random[3].exe.6.dr Static PE information: section name: ttllozcv
Source: random[3].exe.6.dr Static PE information: section name: .taggant
Source: 17e7d05a4e.exe.6.dr Static PE information: section name:
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: .idata
Source: 17e7d05a4e.exe.6.dr Static PE information: section name:
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: wekcazbo
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: ttllozcv
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: gzrpzaat
Source: random[1].exe.6.dr Static PE information: section name: usdkjmbf
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 0016128732.exe.6.dr Static PE information: section name:
Source: 0016128732.exe.6.dr Static PE information: section name: .idata
Source: 0016128732.exe.6.dr Static PE information: section name:
Source: 0016128732.exe.6.dr Static PE information: section name: gzrpzaat
Source: 0016128732.exe.6.dr Static PE information: section name: usdkjmbf
Source: 0016128732.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name: .eh_fram
Source: 03f60c0f6e.exe.6.dr Static PE information: section name: .eh_fram
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: wfipzyes
Source: random[1].exe2.6.dr Static PE information: section name: apfxvsxz
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 48a114f480.exe.6.dr Static PE information: section name:
Source: 48a114f480.exe.6.dr Static PE information: section name: .idata
Source: 48a114f480.exe.6.dr Static PE information: section name:
Source: 48a114f480.exe.6.dr Static PE information: section name: wfipzyes
Source: 48a114f480.exe.6.dr Static PE information: section name: apfxvsxz
Source: 48a114f480.exe.6.dr Static PE information: section name: .taggant
Source: random[3].exe0.6.dr Static PE information: section name: .fptable
Source: b73717b60b.exe.6.dr Static PE information: section name: .fptable
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: vqihsser
Source: random[2].exe.6.dr Static PE information: section name: hmiawicu
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: fde7a493e9.exe.6.dr Static PE information: section name:
Source: fde7a493e9.exe.6.dr Static PE information: section name: .idata
Source: fde7a493e9.exe.6.dr Static PE information: section name:
Source: fde7a493e9.exe.6.dr Static PE information: section name: vqihsser
Source: fde7a493e9.exe.6.dr Static PE information: section name: hmiawicu
Source: fde7a493e9.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe1.6.dr Static PE information: section name:
Source: random[2].exe1.6.dr Static PE information: section name: .idata
Source: random[2].exe1.6.dr Static PE information: section name:
Source: random[2].exe1.6.dr Static PE information: section name: bdbisbrv
Source: random[2].exe1.6.dr Static PE information: section name: zfipemww
Source: random[2].exe1.6.dr Static PE information: section name: .taggant
Source: 98d75c3c44.exe.6.dr Static PE information: section name:
Source: 98d75c3c44.exe.6.dr Static PE information: section name: .idata
Source: 98d75c3c44.exe.6.dr Static PE information: section name:
Source: 98d75c3c44.exe.6.dr Static PE information: section name: bdbisbrv
Source: 98d75c3c44.exe.6.dr Static PE information: section name: zfipemww
Source: 98d75c3c44.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe2.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name: .idata
Source: random[2].exe2.6.dr Static PE information: section name: gpmjnkqq
Source: random[2].exe2.6.dr Static PE information: section name: dddwmisr
Source: random[2].exe2.6.dr Static PE information: section name: .taggant
Source: fa82de29a9.exe.6.dr Static PE information: section name:
Source: fa82de29a9.exe.6.dr Static PE information: section name: .idata
Source: fa82de29a9.exe.6.dr Static PE information: section name: gpmjnkqq
Source: fa82de29a9.exe.6.dr Static PE information: section name: dddwmisr
Source: fa82de29a9.exe.6.dr Static PE information: section name: .taggant
Source: random[3].exe1.6.dr Static PE information: section name:
Source: random[3].exe1.6.dr Static PE information: section name: .idata
Source: random[3].exe1.6.dr Static PE information: section name: dkxxriqm
Source: random[3].exe1.6.dr Static PE information: section name: lwvdqzfy
Source: random[3].exe1.6.dr Static PE information: section name: .taggant
Source: 3c08a943ba.exe.6.dr Static PE information: section name:
Source: 3c08a943ba.exe.6.dr Static PE information: section name: .idata
Source: 3c08a943ba.exe.6.dr Static PE information: section name: dkxxriqm
Source: 3c08a943ba.exe.6.dr Static PE information: section name: lwvdqzfy
Source: 3c08a943ba.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.7.dr Static PE information: section name: .eh_fram
Source: UKzjyWlrjRLOjKNNlNHI.dll.7.dr Static PE information: section name: .eh_fram
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe.10.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0027D91C push ecx; ret 0_2_0027D92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00271359 push es; ret 0_2_0027135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000DD91C push ecx; ret 1_2_000DD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000DD91C push ecx; ret 2_2_000DD92F
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036D6F3A push ecx; retf 9_3_036D6F60
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036D6F3A push ecx; retf 9_3_036D6F60
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036DD0D0 push eax; retf 9_3_036DD0D1
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036D6F3A push ecx; retf 9_3_036D6F60
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036D6F3A push ecx; retf 9_3_036D6F60
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036E34F0 push edi; ret 9_3_036E34F2
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036E3129 push edi; retf 9_3_036E312A
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Code function: 9_3_036E9B90 pushad ; retf 9_3_036E9B91
Source: file.exe Static PE information: section name: entropy: 7.171287246787944
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.171287246787944
Source: random[3].exe.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: random[3].exe.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: 17e7d05a4e.exe.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: random[1].exe.6.dr Static PE information: section name: gzrpzaat entropy: 7.955149229409411
Source: 0016128732.exe.6.dr Static PE information: section name: gzrpzaat entropy: 7.955149229409411
Source: random[1].exe2.6.dr Static PE information: section name: wfipzyes entropy: 7.956035978180135
Source: 48a114f480.exe.6.dr Static PE information: section name: wfipzyes entropy: 7.956035978180135
Source: random[2].exe.6.dr Static PE information: section name: vqihsser entropy: 7.94869647218417
Source: fde7a493e9.exe.6.dr Static PE information: section name: vqihsser entropy: 7.94869647218417
Source: random[2].exe1.6.dr Static PE information: section name: entropy: 7.982108153140835
Source: random[2].exe1.6.dr Static PE information: section name: bdbisbrv entropy: 7.953898062321803
Source: 98d75c3c44.exe.6.dr Static PE information: section name: entropy: 7.982108153140835
Source: 98d75c3c44.exe.6.dr Static PE information: section name: bdbisbrv entropy: 7.953898062321803

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\Documents\JEHIIDGCFH.exe Jump to dropped file
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File created: C:\Users\user\AppData\Local\Temp\VNY2C8VS9PYFPN1RMQ1W6IX8NL5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[5].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe File created: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe File created: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019464001\ebd07c8db5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019465001\b73717b60b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019466001\6253581e35.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File created: C:\Users\user\AppData\Local\Temp\UKzjyWlrjRLOjKNNlNHI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\Documents\JEHIIDGCFH.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019467001\ec04af5574.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File created: C:\Users\user\AppData\Local\Temp\Q1QDVYP373AX8IG2OVIMRA4D.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File created: C:\Users\user\AppData\Local\Temp\9BJKSJ28ISVYA183NQ4PP.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa82de29a9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98d75c3c44.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3c08a943ba.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a0440fbc4.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98d75c3c44.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98d75c3c44.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa82de29a9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa82de29a9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a0440fbc4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a0440fbc4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3c08a943ba.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3c08a943ba.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: 3ca42ff3133e49daac5eafe0960f7af0.exe, 00000012.00000000.2752945315.000000000041F000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF4AE second address: 2CF4B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF4B8 second address: 2CED46 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jc 00007F61C0BD0386h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 nop 0x00000019 cld 0x0000001a push dword ptr [ebp+122D112Dh] 0x00000020 cmc 0x00000021 call dword ptr [ebp+122D3794h] 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D2AC6h], ecx 0x0000002e jmp 00007F61C0BD0390h 0x00000033 xor eax, eax 0x00000035 sub dword ptr [ebp+122D2AC6h], ecx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 jmp 00007F61C0BD038Dh 0x00000045 xor di, 5E79h 0x0000004a popad 0x0000004b js 00007F61C0BD038Ch 0x00000051 mov dword ptr [ebp+122D3B70h], eax 0x00000057 jmp 00007F61C0BD0390h 0x0000005c mov esi, 0000003Ch 0x00000061 jl 00007F61C0BD038Ch 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b jmp 00007F61C0BD0399h 0x00000070 lodsw 0x00000072 mov dword ptr [ebp+122D36ABh], eax 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c stc 0x0000007d cmc 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 sub dword ptr [ebp+122D36ABh], ebx 0x00000088 nop 0x00000089 push eax 0x0000008a push edx 0x0000008b jbe 00007F61C0BD0388h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44A9D6 second address: 44A9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D459h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44AB6D second address: 44AB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44AB77 second address: 44AB7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44AB7B second address: 44AB85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44AB85 second address: 44AB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44ACE2 second address: 44ACE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44AF9C second address: 44AFA5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44DFD1 second address: 2CED46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 add dword ptr [esp], 14B57545h 0x0000000c push dword ptr [ebp+122D112Dh] 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F61C0BD0388h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov ecx, dword ptr [ebp+122D39D0h] 0x00000032 call dword ptr [ebp+122D3794h] 0x00000038 pushad 0x00000039 mov dword ptr [ebp+122D2AC6h], ecx 0x0000003f jmp 00007F61C0BD0390h 0x00000044 xor eax, eax 0x00000046 sub dword ptr [ebp+122D2AC6h], ecx 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 pushad 0x00000051 jmp 00007F61C0BD038Dh 0x00000056 xor di, 5E79h 0x0000005b popad 0x0000005c js 00007F61C0BD038Ch 0x00000062 mov dword ptr [ebp+122D2AC6h], ecx 0x00000068 mov dword ptr [ebp+122D3B70h], eax 0x0000006e jmp 00007F61C0BD0390h 0x00000073 mov esi, 0000003Ch 0x00000078 jl 00007F61C0BD038Ch 0x0000007e mov dword ptr [ebp+122D2AC6h], edx 0x00000084 add esi, dword ptr [esp+24h] 0x00000088 jmp 00007F61C0BD0399h 0x0000008d lodsw 0x0000008f mov dword ptr [ebp+122D36ABh], eax 0x00000095 add eax, dword ptr [esp+24h] 0x00000099 stc 0x0000009a cmc 0x0000009b mov ebx, dword ptr [esp+24h] 0x0000009f sub dword ptr [ebp+122D36ABh], ebx 0x000000a5 nop 0x000000a6 push eax 0x000000a7 push edx 0x000000a8 jbe 00007F61C0BD0388h 0x000000ae rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E042 second address: 44E048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E048 second address: 44E04D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E04D second address: 44E0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 7CB72347h 0x00000010 mov edx, 3E8280CCh 0x00000015 push 00000003h 0x00000017 mov ecx, 1285FA54h 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D295Eh], ecx 0x00000024 push 00000003h 0x00000026 mov ecx, edi 0x00000028 push C8706AD0h 0x0000002d jne 00007F61C0D2D458h 0x00000033 xor dword ptr [esp], 08706AD0h 0x0000003a movzx edx, cx 0x0000003d lea ebx, dword ptr [ebp+12452EE7h] 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F61C0D2D448h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d add edi, 51DD5317h 0x00000063 mov di, bx 0x00000066 push eax 0x00000067 jnp 00007F61C0D2D460h 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F61C0D2D44Eh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E123 second address: 44E128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E128 second address: 44E1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D450h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f clc 0x00000010 push 00000000h 0x00000012 jg 00007F61C0D2D44Ch 0x00000018 sub dword ptr [ebp+122D36ABh], esi 0x0000001e call 00007F61C0D2D449h 0x00000023 pushad 0x00000024 push ebx 0x00000025 jo 00007F61C0D2D446h 0x0000002b pop ebx 0x0000002c pushad 0x0000002d jnp 00007F61C0D2D446h 0x00000033 push esi 0x00000034 pop esi 0x00000035 popad 0x00000036 popad 0x00000037 push eax 0x00000038 push esi 0x00000039 jns 00007F61C0D2D448h 0x0000003f pushad 0x00000040 popad 0x00000041 pop esi 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 push edi 0x00000047 jmp 00007F61C0D2D456h 0x0000004c pop edi 0x0000004d mov eax, dword ptr [eax] 0x0000004f jmp 00007F61C0D2D44Ah 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F61C0D2D44Bh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E1B4 second address: 44E1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E1B8 second address: 44E1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E1BE second address: 44E214 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F61C0BD0388h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D28A1h], edi 0x00000011 push 00000003h 0x00000013 or edi, 0043B337h 0x00000019 push 00000000h 0x0000001b mov esi, dword ptr [ebp+122D39C8h] 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F61C0BD0388h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d adc dh, FFFFFFDEh 0x00000040 movsx ecx, cx 0x00000043 push 48836EC4h 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b jc 00007F61C0BD0386h 0x00000051 pop ecx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E214 second address: 44E219 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E336 second address: 44E379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F61C0BD038Dh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ecx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 jmp 00007F61C0BD0399h 0x0000001b popad 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E379 second address: 44E37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E37D second address: 44E387 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E387 second address: 44E42D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F61C0D2D446h 0x00000009 jmp 00007F61C0D2D44Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007F61C0D2D451h 0x00000017 movzx ecx, di 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F61C0D2D448h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 movsx esi, bx 0x00000039 push 00000000h 0x0000003b jmp 00007F61C0D2D457h 0x00000040 push 00000003h 0x00000042 mov edi, eax 0x00000044 call 00007F61C0D2D449h 0x00000049 pushad 0x0000004a pushad 0x0000004b push esi 0x0000004c pop esi 0x0000004d push ebx 0x0000004e pop ebx 0x0000004f popad 0x00000050 pushad 0x00000051 push edi 0x00000052 pop edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 popad 0x00000056 popad 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jnl 00007F61C0D2D459h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E42D second address: 44E457 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F61C0BD0388h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F61C0BD0398h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E457 second address: 44E48B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jno 00007F61C0D2D44Eh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F61C0D2D44Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 44E48B second address: 44E50E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F61C0BD038Ch 0x0000000c popad 0x0000000d pop eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F61C0BD0388h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 call 00007F61C0BD0396h 0x0000002d add ecx, 15BFE317h 0x00000033 pop esi 0x00000034 lea ebx, dword ptr [ebp+12452EFBh] 0x0000003a mov edi, dword ptr [ebp+122D3BF4h] 0x00000040 xchg eax, ebx 0x00000041 jmp 00007F61C0BD0399h 0x00000046 push eax 0x00000047 jl 00007F61C0BD0394h 0x0000004d push eax 0x0000004e push edx 0x0000004f jne 00007F61C0BD0386h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46C413 second address: 46C417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46C417 second address: 46C41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46C41F second address: 46C424 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46CA0B second address: 46CA1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46CE73 second address: 46CEAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D458h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F61C0D2D459h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46CFEB second address: 46CFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46CFEF second address: 46D004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Bh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D004 second address: 46D008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D143 second address: 46D18C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F61C0D2D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F61C0D2D450h 0x00000019 jc 00007F61C0D2D452h 0x0000001f jmp 00007F61C0D2D44Ah 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a jmp 00007F61C0D2D44Fh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D43E second address: 46D445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D445 second address: 46D458 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F61C0D2D446h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jl 00007F61C0D2D446h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D458 second address: 46D45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D5CC second address: 46D5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F61C0D2D446h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F61C0D2D44Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461360 second address: 461366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461366 second address: 46136A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46D76B second address: 46D78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F61C0BD0386h 0x0000000a popad 0x0000000b jmp 00007F61C0BD038Fh 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46DCE2 second address: 46DCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F61C0D2D450h 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46DE92 second address: 46DE96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E013 second address: 46E01F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E01F second address: 46E023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E171 second address: 46E17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F61C0D2D446h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46E17D second address: 46E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 471F46 second address: 471F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 472445 second address: 472449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4725E2 second address: 4725E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4725E7 second address: 4725ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 474E9B second address: 474EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47A160 second address: 47A180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007F61C0BD0397h 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47A180 second address: 47A184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47A30B second address: 47A311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47A311 second address: 47A315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47A457 second address: 47A4C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F61C0BD0398h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 jmp 00007F61C0BD0399h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F61C0BD038Fh 0x0000001f jmp 00007F61C0BD0399h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47BB77 second address: 47BB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C0F1 second address: 47C124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F61C0BD0394h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C124 second address: 47C129 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C1EA second address: 47C1F4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C4E2 second address: 47C506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C506 second address: 47C50C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C50C second address: 47C511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C6DF second address: 47C70A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnp 00007F61C0BD03A9h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F61C0BD0397h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C70A second address: 47C70E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47C748 second address: 47C74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47D5FB second address: 47D60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F61C0D2D446h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47D60B second address: 47D627 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47D627 second address: 47D6AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F61C0D2D448h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 and esi, dword ptr [ebp+122D38E8h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F61C0D2D448h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 or dword ptr [ebp+122D1CF2h], edi 0x0000004d mov di, 319Ah 0x00000051 xchg eax, ebx 0x00000052 push ecx 0x00000053 jmp 00007F61C0D2D454h 0x00000058 pop ecx 0x00000059 push eax 0x0000005a pushad 0x0000005b jo 00007F61C0D2D448h 0x00000061 pushad 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47D6AB second address: 47D6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48093A second address: 48093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48093F second address: 480949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 47FBFF second address: 47FC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4813AB second address: 4813AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4813AF second address: 481437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F61C0D2D45Ah 0x0000000e jnc 00007F61C0D2D454h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F61C0D2D448h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov esi, dword ptr [ebp+122D2968h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F61C0D2D448h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D2344h], edx 0x00000057 push 00000000h 0x00000059 or dword ptr [ebp+1247C199h], esi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F61C0D2D44Bh 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 481E68 second address: 481E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F61C0BD038Ch 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48112B second address: 48112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48587E second address: 485882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 485882 second address: 485888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 485888 second address: 48588C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486D1D second address: 486D3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F61C0D2D448h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 485F9A second address: 485F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486D3A second address: 486D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0D2D453h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486D51 second address: 486D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 487D03 second address: 487D49 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F61C0D2D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov bx, 5D87h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F61C0D2D448h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov edi, ebx 0x0000002f push 00000000h 0x00000031 mov ebx, dword ptr [ebp+122D372Bh] 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486E7F second address: 486E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 487D49 second address: 487D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 487D4D second address: 487D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F61C0BD038Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486E86 second address: 486EF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F61C0D2D448h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a or dword ptr [ebp+122D36ABh], eax 0x00000030 xor dword ptr [ebp+122D1C4Ah], edx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jmp 00007F61C0D2D455h 0x00000042 mov eax, dword ptr [ebp+122D0935h] 0x00000048 mov di, bx 0x0000004b push FFFFFFFFh 0x0000004d mov dword ptr [ebp+122D2A9Fh], ecx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486EF9 second address: 486EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486EFD second address: 486F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 487FD2 second address: 487FE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486F01 second address: 486F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488D0A second address: 488D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0394h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F61C0BD038Eh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F61C0BD0388h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3938h] 0x00000032 sub dword ptr [ebp+1247A242h], esi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F61C0BD0388h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 cld 0x00000055 push 00000000h 0x00000057 jmp 00007F61C0BD038Eh 0x0000005c push eax 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486F07 second address: 486F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 486F0D second address: 486F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 489C95 second address: 489C9A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488EFB second address: 488EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488EFF second address: 488F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 489D24 second address: 489D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488F05 second address: 488F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 488F0B second address: 488FC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F61C0BD0388h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D370Dh], esi 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov ebx, 19BD4684h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov ebx, 1C4FDC91h 0x00000043 mov eax, dword ptr [ebp+122D06F9h] 0x00000049 movsx ebx, di 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push ecx 0x00000051 call 00007F61C0BD0388h 0x00000056 pop ecx 0x00000057 mov dword ptr [esp+04h], ecx 0x0000005b add dword ptr [esp+04h], 00000018h 0x00000063 inc ecx 0x00000064 push ecx 0x00000065 ret 0x00000066 pop ecx 0x00000067 ret 0x00000068 mov ebx, dword ptr [ebp+122D3B9Ch] 0x0000006e mov dword ptr [ebp+122D2A6Bh], edi 0x00000074 jl 00007F61C0BD0392h 0x0000007a jmp 00007F61C0BD038Ch 0x0000007f nop 0x00000080 jmp 00007F61C0BD0395h 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 jmp 00007F61C0BD0392h 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48ABBF second address: 48ABC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48ABC3 second address: 48AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movsx edi, dx 0x0000000c push 00000000h 0x0000000e sbb bx, C7D9h 0x00000013 mov ebx, dword ptr [ebp+122D3BB0h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F61C0BD0388h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 push eax 0x00000036 pushad 0x00000037 push esi 0x00000038 push edx 0x00000039 pop edx 0x0000003a pop esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jc 00007F61C0BD0386h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48BB71 second address: 48BB75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48BB75 second address: 48BB79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48AD6D second address: 48AD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D457h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48EBCF second address: 48EBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48EBD4 second address: 48EBD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48ECA4 second address: 48ECA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 490D47 second address: 490D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 490D52 second address: 490D5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 490D5F second address: 490D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 491E9A second address: 491EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD0392h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 491EB0 second address: 491EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 491EB4 second address: 491F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F61C0BD0399h 0x0000000e nop 0x0000000f call 00007F61C0BD0396h 0x00000014 mov bx, cx 0x00000017 pop ebx 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D3706h], ecx 0x00000020 push 00000000h 0x00000022 mov di, 160Eh 0x00000026 mov ebx, 1EF33822h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jp 00007F61C0BD0386h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 491F0F second address: 491F15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48EDF3 second address: 48EDF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48EED0 second address: 48EEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F61C0D2D446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48FE37 second address: 48FEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F61C0BD0388h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D1DB6h] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov ebx, dword ptr [ebp+122D2B08h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F61C0BD0388h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000016h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 jns 00007F61C0BD038Ch 0x0000005d mov eax, dword ptr [ebp+122D14B1h] 0x00000063 mov dword ptr [ebp+122D3197h], ebx 0x00000069 push FFFFFFFFh 0x0000006b push edi 0x0000006c mov bl, ah 0x0000006e pop edi 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push ebx 0x00000073 push edi 0x00000074 pop edi 0x00000075 pop ebx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48FEBD second address: 48FEC7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F61C0D2D44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48FEC7 second address: 48FED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jp 00007F61C0BD0386h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48FED8 second address: 48FEDD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49302F second address: 493039 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F61C0BD038Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 494130 second address: 494137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D82C second address: 49D834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D834 second address: 49D83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F61C0D2D446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D83E second address: 49D849 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49DC4E second address: 49DC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D450h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49DC63 second address: 49DC92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61C0BD0394h 0x00000008 js 00007F61C0BD0386h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 jng 00007F61C0BD0388h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A42AC second address: 4A42B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A42B0 second address: 4A42BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A42BA second address: 4A42C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A6B0C second address: 4A6B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A6D9F second address: 2CED46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d popad 0x0000000e xor dword ptr [esp], 0A4EFB98h 0x00000015 cmc 0x00000016 push dword ptr [ebp+122D112Dh] 0x0000001c jmp 00007F61C0D2D450h 0x00000021 call dword ptr [ebp+122D3794h] 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D2AC6h], ecx 0x0000002e jmp 00007F61C0D2D450h 0x00000033 xor eax, eax 0x00000035 sub dword ptr [ebp+122D2AC6h], ecx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 jmp 00007F61C0D2D44Dh 0x00000045 xor di, 5E79h 0x0000004a popad 0x0000004b js 00007F61C0D2D44Ch 0x00000051 mov dword ptr [ebp+122D2AC6h], ecx 0x00000057 mov dword ptr [ebp+122D3B70h], eax 0x0000005d jmp 00007F61C0D2D450h 0x00000062 mov esi, 0000003Ch 0x00000067 jl 00007F61C0D2D44Ch 0x0000006d mov dword ptr [ebp+122D2AC6h], edx 0x00000073 add esi, dword ptr [esp+24h] 0x00000077 jmp 00007F61C0D2D459h 0x0000007c lodsw 0x0000007e mov dword ptr [ebp+122D36ABh], eax 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 stc 0x00000089 cmc 0x0000008a mov ebx, dword ptr [esp+24h] 0x0000008e sub dword ptr [ebp+122D36ABh], ebx 0x00000094 nop 0x00000095 push eax 0x00000096 push edx 0x00000097 jbe 00007F61C0D2D448h 0x0000009d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43604E second address: 43608F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F61C0BD0393h 0x00000008 pop edx 0x00000009 jp 00007F61C0BD039Eh 0x0000000f jmp 00007F61C0BD0396h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 js 00007F61C0BD03BFh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43608F second address: 4360BF instructions: 0x00000000 rdtsc 0x00000002 je 00007F61C0D2D446h 0x00000008 jno 00007F61C0D2D446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F61C0D2D459h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC781 second address: 4AC78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ACEA0 second address: 4ACEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ACEA4 second address: 4ACEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0396h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ACEC0 second address: 4ACEC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ACEC8 second address: 4ACECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ACECC second address: 4ACEE0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F61C0D2D446h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F61C0D2D460h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD056 second address: 4AD05C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD7F5 second address: 4AD80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F61C0D2D44Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD80E second address: 4AD818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD98B second address: 4AD9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F61C0D2D44Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F61C0D2D44Eh 0x00000013 jng 00007F61C0D2D450h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD9BF second address: 4AD9C4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0001 second address: 4B0024 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f jbe 00007F61C0D2D44Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B481B second address: 4B4823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4823 second address: 4B482C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B482C second address: 4B4831 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4831 second address: 4B4837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4837 second address: 4B484C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F61C0BD038Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B36BC second address: 4B36C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48302C second address: 461360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F61C0BD0388h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 jmp 00007F61C0BD0392h 0x0000002c push eax 0x0000002d mov ecx, 24C7759Dh 0x00000032 pop edx 0x00000033 call dword ptr [ebp+122D1E10h] 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48312E second address: 483132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48326F second address: 483279 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F61C0BD038Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483620 second address: 483624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483624 second address: 2CED46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2AC6h], eax 0x0000000e push dword ptr [ebp+122D112Dh] 0x00000014 mov edx, 3114CD51h 0x00000019 jbe 00007F61C0BD038Fh 0x0000001f call dword ptr [ebp+122D3794h] 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D2AC6h], ecx 0x0000002c jmp 00007F61C0BD0390h 0x00000031 xor eax, eax 0x00000033 sub dword ptr [ebp+122D2AC6h], ecx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d pushad 0x0000003e jmp 00007F61C0BD038Dh 0x00000043 xor di, 5E79h 0x00000048 popad 0x00000049 js 00007F61C0BD038Ch 0x0000004f mov dword ptr [ebp+122D2AC6h], ecx 0x00000055 mov dword ptr [ebp+122D3B70h], eax 0x0000005b jmp 00007F61C0BD0390h 0x00000060 mov esi, 0000003Ch 0x00000065 jl 00007F61C0BD038Ch 0x0000006b mov dword ptr [ebp+122D2AC6h], edx 0x00000071 add esi, dword ptr [esp+24h] 0x00000075 jmp 00007F61C0BD0399h 0x0000007a lodsw 0x0000007c mov dword ptr [ebp+122D36ABh], eax 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 stc 0x00000087 cmc 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c sub dword ptr [ebp+122D36ABh], ebx 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 jbe 00007F61C0BD0388h 0x0000009b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483A9C second address: 483AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F61C0D2D446h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483AA9 second address: 483ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jp 00007F61C0BD038Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483ABA second address: 483B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F61C0D2D448h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F61C0D2D448h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 pushad 0x00000029 add ax, A7B1h 0x0000002e mov dword ptr [ebp+122D2F53h], eax 0x00000034 popad 0x00000035 push 00000004h 0x00000037 mov dword ptr [ebp+122D2AE4h], edi 0x0000003d mov edi, ebx 0x0000003f nop 0x00000040 jmp 00007F61C0D2D453h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push esi 0x00000049 js 00007F61C0D2D446h 0x0000004f pop esi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483B1B second address: 483B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483B21 second address: 483B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483F48 second address: 483FA6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F61C0BD0388h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2A93h], edi 0x0000002e push 0000001Eh 0x00000030 mov dword ptr [ebp+122D238Bh], ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F61C0BD0399h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4842C1 second address: 4842C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4842C6 second address: 4842DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD0393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 484363 second address: 484367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 484367 second address: 48436B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48436B second address: 48437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F61C0D2D446h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48437C second address: 4843C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 js 00007F61C0BD038Ch 0x0000000e jg 00007F61C0BD0386h 0x00000014 lea eax, dword ptr [ebp+12487D44h] 0x0000001a jmp 00007F61C0BD038Dh 0x0000001f nop 0x00000020 jo 00007F61C0BD039Ch 0x00000026 jmp 00007F61C0BD0396h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 pop eax 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4843C9 second address: 461E7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F61C0D2D448h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 or edi, dword ptr [ebp+122D2AD5h] 0x0000002a mov cl, ah 0x0000002c lea eax, dword ptr [ebp+12487D00h] 0x00000032 xor dword ptr [ebp+122D23FAh], ebx 0x00000038 push eax 0x00000039 push ebx 0x0000003a pushad 0x0000003b jmp 00007F61C0D2D457h 0x00000040 jmp 00007F61C0D2D44Ch 0x00000045 popad 0x00000046 pop ebx 0x00000047 mov dword ptr [esp], eax 0x0000004a call dword ptr [ebp+122D2363h] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 push ebx 0x00000056 pop ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461E7D second address: 461E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461E86 second address: 461E8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461E8C second address: 461EB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jg 00007F61C0BD0388h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F61C0BD0396h 0x00000018 jmp 00007F61C0BD038Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461EB0 second address: 461EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461EB4 second address: 461EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461EBC second address: 461EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461EC0 second address: 461EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461EC9 second address: 461ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 461ECF second address: 461ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3E09 second address: 4B3E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3E0D second address: 4B3E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F61C0BD038Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90BE second address: 4B90C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9229 second address: 4B922F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9675 second address: 4B9693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F61C0D2D457h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9945 second address: 4B9949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9949 second address: 4B994F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B994F second address: 4B9990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F61C0BD038Eh 0x0000000c jc 00007F61C0BD0386h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F61C0BD0398h 0x0000001b jmp 00007F61C0BD0393h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9ABB second address: 4B9ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F61C0D2D446h 0x0000000a pop esi 0x0000000b push esi 0x0000000c jmp 00007F61C0D2D44Ah 0x00000011 jo 00007F61C0D2D446h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9ADC second address: 4B9AE2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9C47 second address: 4B9C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BF3D2 second address: 4BF3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BF6F7 second address: 4BF714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D457h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BF954 second address: 4BF983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F61C0BD0388h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F61C0BD0390h 0x00000016 je 00007F61C0BD0386h 0x0000001c jnp 00007F61C0BD0386h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BF983 second address: 4BF988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BEFC2 second address: 4BEFEF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F61C0BD0393h 0x00000013 jmp 00007F61C0BD038Dh 0x00000018 jmp 00007F61C0BD038Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BFF22 second address: 4BFF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D44Eh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c ja 00007F61C0D2D446h 0x00000012 ja 00007F61C0D2D446h 0x00000018 popad 0x00000019 jne 00007F61C0D2D44Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C0097 second address: 4C00AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61C0BD0393h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA943 second address: 4CA94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA47A second address: 4CA487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F61C0BD038Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CCE5A second address: 4CCE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CCE5E second address: 4CCE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CCE6A second address: 4CCE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D459h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CCE87 second address: 4CCE8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4396BC second address: 4396C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4396C2 second address: 4396E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jmp 00007F61C0BD0398h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC9A4 second address: 4CC9B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F61C0D2D446h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC9B0 second address: 4CC9BE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC9BE second address: 4CC9CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC9CE second address: 4CC9F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F61C0BD0398h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4436B1 second address: 4436CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4436CD second address: 4436D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4436D1 second address: 4436DD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61C0D2D446h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D58D3 second address: 4D58D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4CAB second address: 4D4D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F61C0D2D456h 0x0000000f jmp 00007F61C0D2D450h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F61C0D2D459h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4FC2 second address: 4D4FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4FCC second address: 4D4FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F61C0D2D446h 0x0000000a popad 0x0000000b jnp 00007F61C0D2D462h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB5BA second address: 4DB5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB5BE second address: 4DB5C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9F47 second address: 4D9F4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9F4F second address: 4D9F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Fh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0B0 second address: 4DA0CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007F61C0BD0386h 0x00000009 jnp 00007F61C0BD0386h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jnp 00007F61C0BD03B0h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0CC second address: 4DA0E6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F61C0D2D446h 0x00000008 jg 00007F61C0D2D446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F61C0D2D446h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0E6 second address: 4DA0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA509 second address: 4DA51C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61C0D2D44Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483CE0 second address: 483CF4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F61C0BD0386h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483CF4 second address: 483D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D453h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b mov cx, C4ABh 0x0000000f mov ebx, dword ptr [ebp+12487D3Fh] 0x00000015 mov ecx, eax 0x00000017 add eax, ebx 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F61C0D2D448h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D23EAh] 0x00000039 call 00007F61C0D2D44Bh 0x0000003e sub ch, 00000025h 0x00000041 pop edi 0x00000042 nop 0x00000043 pushad 0x00000044 pushad 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 push eax 0x00000048 pop eax 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c jng 00007F61C0D2D446h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483D60 second address: 483D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F61C0BD0388h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483D85 second address: 483D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483D8B second address: 483D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483D8F second address: 483DB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov di, FE2Eh 0x00000010 push 00000004h 0x00000012 add edi, dword ptr [ebp+122D235Eh] 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483DB9 second address: 483DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA931 second address: 4DA935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA935 second address: 4DA93F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA93F second address: 4DA945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA945 second address: 4DA94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA94F second address: 4DA953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DDFC9 second address: 4DDFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DDFD3 second address: 4DDFDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DDFDC second address: 4DE000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0399h 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE000 second address: 4DE006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE006 second address: 4DE00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE00F second address: 4DE013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE013 second address: 4DE01B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE01B second address: 4DE02F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E50D1 second address: 4E50E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E50E8 second address: 4E5101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D453h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E553C second address: 4E5556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0395h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E5B42 second address: 4E5B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F61C0D2D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F61C0D2D446h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E5B58 second address: 4E5B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F61C0BD0386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F61C0BD038Ch 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E5B75 second address: 4E5BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61C0D2D44Fh 0x0000000d jns 00007F61C0D2D45Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6427 second address: 4E642D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E642D second address: 4E6440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F61C0D2D446h 0x0000000a popad 0x0000000b js 00007F61C0D2D44Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EAFEA second address: 4EAFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F61C0BD038Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA0DE second address: 4EA0E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F61C0D2D44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA234 second address: 4EA23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA3C6 second address: 4EA3D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA533 second address: 4EA538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA538 second address: 4EA551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61C0D2D452h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA81E second address: 4EA822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA822 second address: 4EA847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61C0D2D457h 0x0000000d jno 00007F61C0D2D446h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA847 second address: 4EA869 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F61C0BD0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F61C0BD0395h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA869 second address: 4EA871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA9BA second address: 4EA9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA9BE second address: 4EA9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA9C2 second address: 4EA9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F61C0BD0398h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F61C0BD0397h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA9FD second address: 4EAA1B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61C0D2D448h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F61C0D2D450h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EACCC second address: 4EACD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EACD4 second address: 4EACDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F2126 second address: 4F2147 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F61C0BD0398h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F2147 second address: 4F214D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F214D second address: 4F216A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F61C0BD038Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F61C0BD0388h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F83A8 second address: 4F83AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8783 second address: 4F8793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Ah 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8793 second address: 4F87AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F61C0D2D455h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F87AE second address: 4F87C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F61C0BD0396h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F88F3 second address: 4F8912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D44Eh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 je 00007F61C0D2D446h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8ED7 second address: 4F8EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD038Fh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F61C0BD0386h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8EF8 second address: 4F8F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F61C0D2D457h 0x0000000b pop ecx 0x0000000c popad 0x0000000d jnp 00007F61C0D2D480h 0x00000013 push ecx 0x00000014 jmp 00007F61C0D2D44Ch 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F61C0D2D44Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9971 second address: 4F9975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7F0F second address: 4F7F3E instructions: 0x00000000 rdtsc 0x00000002 je 00007F61C0D2D446h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F61C0D2D457h 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7F3E second address: 4F7F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0399h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500B0C second address: 500B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D456h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500561 second address: 500574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5007D7 second address: 5007DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5007DD second address: 5007FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Bh 0x00000007 je 00007F61C0BD0386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F61C0BD0386h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5007FA second address: 500829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F61C0D2D453h 0x0000000d pushad 0x0000000e jp 00007F61C0D2D446h 0x00000014 jmp 00007F61C0D2D44Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B6C5 second address: 50B6CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50DD27 second address: 50DD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50DD32 second address: 50DD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50DD38 second address: 50DD3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50DD3C second address: 50DD53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F61C0BD0386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d js 00007F61C0BD03A4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50DD53 second address: 50DD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5158EB second address: 5158FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F61C0BD0386h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5158FA second address: 5158FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51A56C second address: 51A585 instructions: 0x00000000 rdtsc 0x00000002 js 00007F61C0BD039Bh 0x00000008 jmp 00007F61C0BD038Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51A585 second address: 51A58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52324C second address: 523263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F61C0BD0386h 0x0000000a popad 0x0000000b jc 00007F61C0BD038Ch 0x00000011 jc 00007F61C0BD0386h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D3 second address: 5230D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524938 second address: 52493D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52493D second address: 524949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F61C0D2D446h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524949 second address: 524966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F61C0BD0393h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524966 second address: 524978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F61C0D2D446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524978 second address: 52497E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52497E second address: 5249AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F61C0D2D455h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jnl 00007F61C0D2D446h 0x00000014 popad 0x00000015 jl 00007F61C0D2D44Eh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F1A3 second address: 52F1A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F1A7 second address: 52F1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D459h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F1C6 second address: 52F1D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F1D0 second address: 52F1D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F1D4 second address: 52F21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F61C0BD038Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F61C0BD038Eh 0x00000016 jmp 00007F61C0BD038Dh 0x0000001b popad 0x0000001c jnp 00007F61C0BD038Ah 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 jg 00007F61C0BD0386h 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DA88 second address: 52DAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D454h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DAA2 second address: 52DAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DBFD second address: 52DC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DC09 second address: 52DC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007F61C0BD0394h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DC29 second address: 52DC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF00 second address: 52DF06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF06 second address: 52DF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F61C0D2D446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF10 second address: 52DF21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF21 second address: 52DF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF25 second address: 52DF29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DF29 second address: 52DF6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0D2D44Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F61C0D2D455h 0x00000011 jmp 00007F61C0D2D459h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0BD second address: 52E0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0C1 second address: 52E10E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F61C0D2D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F61C0D2D455h 0x0000000f pop esi 0x00000010 pushad 0x00000011 jnc 00007F61C0D2D44Ch 0x00000017 jmp 00007F61C0D2D457h 0x0000001c push edx 0x0000001d jno 00007F61C0D2D446h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EE9E second address: 52EEB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EEB0 second address: 52EEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F61C0D2D446h 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F61C0D2D446h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F61C0D2D453h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EEDD second address: 52EEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EEE1 second address: 52EEF5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F61C0D2D446h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F61C0D2D446h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EEF5 second address: 52EEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53382C second address: 53384A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F61C0D2D459h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F61C0D2D451h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53399F second address: 5339CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0398h 0x00000009 jmp 00007F61C0BD038Fh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5339CB second address: 5339D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5339D1 second address: 5339DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F61C0BD0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5339DB second address: 5339F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F61C0D2D446h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnl 00007F61C0D2D44Ch 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B0B4 second address: 43B0BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55022B second address: 550231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550231 second address: 550249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0394h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500B0 second address: 5500B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500B6 second address: 5500C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C1 second address: 5500CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007F61C0D2D44Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500CF second address: 5500E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F61C0BD038Ah 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F61C0BD0386h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551DF0 second address: 551E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0D2D459h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551E0D second address: 551E29 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F61C0BD0390h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551E29 second address: 551E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551FD3 second address: 551FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56C674 second address: 56C6AD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F61C0D2D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F61C0D2D456h 0x00000015 pop edi 0x00000016 jmp 00007F61C0D2D452h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4343D7 second address: 434400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61C0BD0397h 0x00000008 jmp 00007F61C0BD038Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 434400 second address: 434424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F61C0D2D44Fh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0D2D44Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56B773 second address: 56B79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F61C0BD0390h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F61C0BD038Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56B79D second address: 56B7A7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61C0D2D446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56B7A7 second address: 56B7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61C0BD0391h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56B92E second address: 56B93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0D2D44Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56C1C6 second address: 56C1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F61C0BD0386h 0x0000000a jmp 00007F61C0BD038Bh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56C1E2 second address: 56C1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56C1E8 second address: 56C1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56C39E second address: 56C3A8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F61C0D2D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5707CC second address: 5707F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD0392h 0x00000009 pop edi 0x0000000a jmp 00007F61C0BD0396h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 572620 second address: 572624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0E74 second address: 4BB0E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD0395h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0E8D second address: 4BB0EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0D2D44Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0EB4 second address: 4BB0F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61C0BD0397h 0x00000009 sbb cx, 477Eh 0x0000000e jmp 00007F61C0BD0399h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b call 00007F61C0BD038Dh 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0F07 second address: 4BB0F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F61C0D2D450h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F61C0D2D450h 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F61C0D2D44Dh 0x00000021 sub esi, 2D5AEF26h 0x00000027 jmp 00007F61C0D2D451h 0x0000002c popfd 0x0000002d mov edi, esi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0D74 second address: 4BA0D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD038Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0D86 second address: 4BA0DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov eax, 5E233809h 0x0000000f mov al, 4Bh 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov esi, 698D3579h 0x0000001d mov ax, B035h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0BA3 second address: 4BE0BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0BA9 second address: 4BE0BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, 09436526h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0BBB second address: 4BE0BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0BC1 second address: 4BE0BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0D2D44Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80091 second address: 4B800A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD038Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B800A3 second address: 4B80156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b movsx edi, si 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 jmp 00007F61C0D2D44Eh 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F61C0D2D457h 0x00000021 add ah, 0000001Eh 0x00000024 jmp 00007F61C0D2D459h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F61C0D2D450h 0x00000030 adc cl, 00000018h 0x00000033 jmp 00007F61C0D2D44Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov ebp, esp 0x0000003c jmp 00007F61C0D2D456h 0x00000041 push dword ptr [ebp+04h] 0x00000044 pushad 0x00000045 mov eax, 2DAF848Dh 0x0000004a popad 0x0000004b push dword ptr [ebp+0Ch] 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov bx, si 0x00000054 call 00007F61C0D2D44Ch 0x00000059 pop eax 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80156 second address: 4B80186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0BD0397h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80186 second address: 4B8018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B801A0 second address: 4B801A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B801A4 second address: 4B801AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B801AA second address: 4B801C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B801C5 second address: 4B801C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B801C9 second address: 4B801CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0B3E second address: 4BA0B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA076D second address: 4BA0771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0771 second address: 4BA0777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0777 second address: 4BA0788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD038Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0788 second address: 4BA07AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0D2D44Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA066D second address: 4BA068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F61C0BD038Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA03D8 second address: 4BA03DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA03DE second address: 4BA03F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA03F7 second address: 4BA03FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA03FB second address: 4BA0454 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F61C0BD0397h 0x0000000f adc cx, DCCEh 0x00000014 jmp 00007F61C0BD0399h 0x00000019 popfd 0x0000001a popad 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F61C0BD038Eh 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA0454 second address: 4BA045A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0156 second address: 4BB0169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61C0BD038Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0169 second address: 4BB0183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bh 0x00000005 mov ax, D3E9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F61C0D2D44Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0183 second address: 4BB01CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61C0BD038Fh 0x00000009 or ch, FFFFFFCEh 0x0000000c jmp 00007F61C0BD0399h 0x00000011 popfd 0x00000012 push esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F61C0BD038Dh 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB01CD second address: 4BB01D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB01D1 second address: 4BB01D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB01D7 second address: 4BB021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F61C0D2D44Eh 0x00000011 mov dx, cx 0x00000014 pop eax 0x00000015 mov bl, A9h 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F61C0D2D450h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB021A second address: 4BB021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB021E second address: 4BB0224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0B2D second address: 4BE0B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0396h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F61C0BD0390h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F61C0BD0397h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC0349 second address: 4BC03C0 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov si, 0D2Dh 0x0000000b popad 0x0000000c mov eax, dword ptr [ebp+08h] 0x0000000f jmp 00007F61C0D2D458h 0x00000014 and dword ptr [eax], 00000000h 0x00000017 jmp 00007F61C0D2D450h 0x0000001c and dword ptr [eax+04h], 00000000h 0x00000020 pushad 0x00000021 mov ecx, 518C2C7Dh 0x00000026 pushfd 0x00000027 jmp 00007F61C0D2D44Ah 0x0000002c and esi, 268EFF58h 0x00000032 jmp 00007F61C0D2D44Bh 0x00000037 popfd 0x00000038 popad 0x00000039 pop ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F61C0D2D450h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC03C0 second address: 4BC03C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC03C4 second address: 4BC03CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA05A0 second address: 4BA05A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA05A4 second address: 4BA05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BA05AA second address: 4BA05B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD038Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0DAB second address: 4BB0DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0DB3 second address: 4BB0E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F61C0BD038Eh 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f jmp 00007F61C0BD038Eh 0x00000014 mov si, 35C1h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov edx, ecx 0x0000001e pushfd 0x0000001f jmp 00007F61C0BD0396h 0x00000024 adc esi, 3094F908h 0x0000002a jmp 00007F61C0BD038Bh 0x0000002f popfd 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F61C0BD0395h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BB0E25 second address: 4BB0E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0D2D44Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01A2 second address: 4BC01A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01A8 second address: 4BC01B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0D2D44Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01B9 second address: 4BC01BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01BD second address: 4BC01DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F61C0D2D44Dh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01DB second address: 4BC01DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01DF second address: 4BC01E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01E5 second address: 4BC01EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BC01EA second address: 4BC01F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0254 second address: 4BE0258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0258 second address: 4BE025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE025C second address: 4BE0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0262 second address: 4BE0268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0268 second address: 4BE026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE026C second address: 4BE0298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F61C0D2D450h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F61C0D2D44Ch 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0298 second address: 4BE02CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov eax, 4D7FF0B3h 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F61C0BD0391h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE02CD second address: 4BE02FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F61C0D2D454h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F61C0D2D44Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE02FB second address: 4BE032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F61C0BD0391h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f jmp 00007F61C0BD038Dh 0x00000014 mov eax, dword ptr [76FB65FCh] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE032E second address: 4BE0334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0334 second address: 4BE03AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61C0BD0390h 0x00000009 and ecx, 29B60D08h 0x0000000f jmp 00007F61C0BD038Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F61C0BD0398h 0x0000001b jmp 00007F61C0BD0395h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 test eax, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F61C0BD0398h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE03AA second address: 4BE03AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE03AE second address: 4BE03B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE03B4 second address: 4BE041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F62330809EEh 0x00000010 pushad 0x00000011 jmp 00007F61C0D2D44Bh 0x00000016 mov cx, 451Fh 0x0000001a popad 0x0000001b mov ecx, eax 0x0000001d jmp 00007F61C0D2D452h 0x00000022 xor eax, dword ptr [ebp+08h] 0x00000025 jmp 00007F61C0D2D451h 0x0000002a and ecx, 1Fh 0x0000002d pushad 0x0000002e mov ax, 2393h 0x00000032 mov eax, 778565EFh 0x00000037 popad 0x00000038 ror eax, cl 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F61C0D2D44Ch 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE041D second address: 4BE0421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0421 second address: 4BE0427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0427 second address: 4BE0440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0440 second address: 4BE0444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0444 second address: 4BE0461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0461 second address: 4BE0466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0466 second address: 4BE04EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, ax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a retn 0004h 0x0000000d nop 0x0000000e mov esi, eax 0x00000010 lea eax, dword ptr [ebp-08h] 0x00000013 xor esi, dword ptr [002C2014h] 0x00000019 push eax 0x0000001a push eax 0x0000001b push eax 0x0000001c lea eax, dword ptr [ebp-10h] 0x0000001f push eax 0x00000020 call 00007F61C5530739h 0x00000025 push FFFFFFFEh 0x00000027 jmp 00007F61C0BD0394h 0x0000002c pop eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F61C0BD038Eh 0x00000034 add ax, DB38h 0x00000039 jmp 00007F61C0BD038Bh 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007F61C0BD0398h 0x00000045 sbb ah, FFFFFF98h 0x00000048 jmp 00007F61C0BD038Bh 0x0000004d popfd 0x0000004e popad 0x0000004f ret 0x00000050 nop 0x00000051 push eax 0x00000052 call 00007F61C5530794h 0x00000057 mov edi, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F61C0BD0395h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE04EE second address: 4BE0514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0514 second address: 4BE0518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0518 second address: 4BE051E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE051E second address: 4BE0566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, 2EA1C507h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f movzx esi, dx 0x00000012 pushfd 0x00000013 jmp 00007F61C0BD0395h 0x00000018 sub cx, 68A6h 0x0000001d jmp 00007F61C0BD0391h 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE0566 second address: 4BE056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE056A second address: 4BE056E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4BE056E second address: 4BE0574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9002A second address: 4B90046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90046 second address: 4B90074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F61C0D2D456h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90074 second address: 4B90078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90078 second address: 4B90095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90095 second address: 4B900CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007F61C0BD038Eh 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F61C0BD038Dh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B900CD second address: 4B900E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 0A6Eh 0x00000007 mov dl, 5Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B900E0 second address: 4B900E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B900E4 second address: 4B900FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B900FE second address: 4B90166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov ebx, 471D2A00h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F61C0BD0395h 0x00000016 sub ax, 5C06h 0x0000001b jmp 00007F61C0BD0391h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F61C0BD0390h 0x00000027 add esi, 42035AA8h 0x0000002d jmp 00007F61C0BD038Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90166 second address: 4B9016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9016A second address: 4B90185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90185 second address: 4B9018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9018B second address: 4B9018F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9018F second address: 4B901B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F61C0D2D44Eh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edi, cx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901B0 second address: 4B901B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901B6 second address: 4B901BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901BA second address: 4B901F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b jmp 00007F61C0BD0393h 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F61C0BD0395h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901F0 second address: 4B901F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901F6 second address: 4B901FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B901FA second address: 4B9021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D453h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9021A second address: 4B9021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9021E second address: 4B90224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90224 second address: 4B9022A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9022A second address: 4B90254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F61C0D2D450h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90254 second address: 4B90263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90263 second address: 4B90269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90269 second address: 4B9026D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9026D second address: 4B902AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c call 00007F61C0D2D44Dh 0x00000011 pushfd 0x00000012 jmp 00007F61C0D2D450h 0x00000017 and ax, 2DA8h 0x0000001c jmp 00007F61C0D2D44Bh 0x00000021 popfd 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 mov eax, ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B902AD second address: 4B902D0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F61C0BD038Ah 0x0000000d mov dword ptr [esp], edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F61C0BD038Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B902D0 second address: 4B902D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B902D6 second address: 4B9030A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F61C0BD0390h 0x00000010 je 00007F6232F6E6A1h 0x00000016 pushad 0x00000017 mov dx, si 0x0000001a pushad 0x0000001b movzx esi, di 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9030A second address: 4B9034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000d jmp 00007F61C0D2D451h 0x00000012 je 00007F62330CB749h 0x00000018 jmp 00007F61C0D2D44Eh 0x0000001d mov edx, dword ptr [esi+44h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bx, A340h 0x00000027 mov cx, dx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9034A second address: 4B9035F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61C0BD0391h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9035F second address: 4B903C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007F61C0D2D44Eh 0x00000013 test edx, 61000000h 0x00000019 pushad 0x0000001a call 00007F61C0D2D44Eh 0x0000001f pushad 0x00000020 popad 0x00000021 pop eax 0x00000022 popad 0x00000023 jne 00007F62330CB72Eh 0x00000029 jmp 00007F61C0D2D44Ah 0x0000002e test byte ptr [esi+48h], 00000001h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F61C0D2D44Ah 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B903C2 second address: 4B903C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B903C8 second address: 4B90402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61C0D2D44Ch 0x00000009 xor ecx, 537500A8h 0x0000000f jmp 00007F61C0D2D44Bh 0x00000014 popfd 0x00000015 mov eax, 197D1B9Fh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d jne 00007F62330CB6F5h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov eax, edx 0x00000028 mov dx, B5EEh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90402 second address: 4B90408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B90408 second address: 4B9040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9040C second address: 4B9042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test bl, 00000007h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx edx, cx 0x00000014 mov di, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B9042D second address: 4B90433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80789 second address: 4B80798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80798 second address: 4B8081C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, A1h 0x00000005 pushfd 0x00000006 jmp 00007F61C0D2D450h 0x0000000b xor al, 00000068h 0x0000000e jmp 00007F61C0D2D44Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 movsx edi, cx 0x0000001c mov edi, esi 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 jmp 00007F61C0D2D458h 0x00000026 pushfd 0x00000027 jmp 00007F61C0D2D452h 0x0000002c sub ecx, 2EC72528h 0x00000032 jmp 00007F61C0D2D44Bh 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e call 00007F61C0D2D44Bh 0x00000043 pop eax 0x00000044 push edi 0x00000045 pop esi 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B8081C second address: 4B80888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov si, ECCDh 0x00000011 pushfd 0x00000012 jmp 00007F61C0BD038Ah 0x00000017 sbb cx, 39E8h 0x0000001c jmp 00007F61C0BD038Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 mov cx, 38FBh 0x00000029 pushfd 0x0000002a jmp 00007F61C0BD0390h 0x0000002f and esi, 53B8CC48h 0x00000035 jmp 00007F61C0BD038Bh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80888 second address: 4B8088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B8088C second address: 4B80892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80892 second address: 4B80898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80898 second address: 4B808A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B808A7 second address: 4B808AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B808AB second address: 4B808C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B808C7 second address: 4B808EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0D2D44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F61C0D2D450h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B808EB second address: 4B808FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B808FA second address: 4B80900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80900 second address: 4B80904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B80904 second address: 4B8093F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007F61C0D2D44Ah 0x00000010 pop eax 0x00000011 mov eax, edx 0x00000013 popad 0x00000014 call 00007F61C0D2D457h 0x00000019 mov edi, ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov cl, bl 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B8093F second address: 4B80962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61C0BD0395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dl, al 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2CECE5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2CEDAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4724C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2CEC9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 12ECE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 12EDAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 2D24C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 12EC9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Special instruction interceptor: First address: E3BC31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Special instruction interceptor: First address: 1074616 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Special instruction interceptor: First address: 167FAF9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Special instruction interceptor: First address: 167D6BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Special instruction interceptor: First address: 18BA5CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Special instruction interceptor: First address: 81CD57 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Special instruction interceptor: First address: 9B8C72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Special instruction interceptor: First address: 9B7B93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Special instruction interceptor: First address: 9E3E88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Special instruction interceptor: First address: A4A6CB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Special instruction interceptor: First address: 137B0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Special instruction interceptor: First address: 137BF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Special instruction interceptor: First address: 302FDA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Special instruction interceptor: First address: 2EDE14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Special instruction interceptor: First address: 36272C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Special instruction interceptor: First address: CDFE59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Special instruction interceptor: First address: F11A80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Special instruction interceptor: First address: 35DF0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Special instruction interceptor: First address: 50A707 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Special instruction interceptor: First address: 508C41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Special instruction interceptor: First address: 35B12E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Special instruction interceptor: First address: 599CD7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Special instruction interceptor: First address: C97CAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Special instruction interceptor: First address: C97DAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Special instruction interceptor: First address: E2D7FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Special instruction interceptor: First address: EC2DF2 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Memory allocated: 1010000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Memory allocated: 2A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Memory allocated: 2870000 memory reserve | memory write watch
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Memory allocated: 24721120000 memory reserve | memory write watch
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Memory allocated: 2473AD00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Memory allocated: 54C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Memory allocated: 5730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Memory allocated: 54C0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04C00C14 rdtsc 0_2_04C00C14
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 358 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1211 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1233 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1237 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1230 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1240 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1243 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1156 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1178 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1154 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1082 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1168 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Window / User API: threadDelayed 1150 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Window / User API: threadDelayed 3090
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Window / User API: threadDelayed 6715
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6711
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7958
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1620
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Window / User API: threadDelayed 588
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Window / User API: threadDelayed 764
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1155
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1139
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1146
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1138
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1155
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1150
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1122
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Window / User API: threadDelayed 1144
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 665
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 646
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 677
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 665
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 614
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 682
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Window / User API: threadDelayed 655
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 590
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 576
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 580
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 589
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 558
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 580
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Window / User API: threadDelayed 589
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019466001\6253581e35.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019467001\ec04af5574.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019464001\ebd07c8db5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UKzjyWlrjRLOjKNNlNHI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019465001\b73717b60b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3940 Thread sleep count: 358 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3940 Thread sleep time: -716358s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2996 Thread sleep count: 1211 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2996 Thread sleep time: -2423211s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8168 Thread sleep count: 249 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8168 Thread sleep time: -7470000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2312 Thread sleep count: 1233 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2312 Thread sleep time: -2467233s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2304 Thread sleep count: 1237 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2304 Thread sleep time: -2475237s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188 Thread sleep count: 1230 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188 Thread sleep time: -2461230s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2056 Thread sleep count: 1240 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2056 Thread sleep time: -2481240s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180 Thread sleep count: 1243 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180 Thread sleep time: -2487243s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7488 Thread sleep time: -2313156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 6924 Thread sleep time: -2357178s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7360 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7468 Thread sleep time: -2309154s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7480 Thread sleep time: -2165082s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7496 Thread sleep time: -2337168s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 1508 Thread sleep time: -2377188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe TID: 7500 Thread sleep time: -2301150s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe TID: 7624 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99870s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98523s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98405s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98288s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -98047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97595s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -97089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -96491s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -96358s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -96229s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -96109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -96000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95883s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94435s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -94222s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -93709s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe TID: 7608 Thread sleep time: -93557s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704 Thread sleep count: 6711 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708 Thread sleep count: 3020 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144 Thread sleep count: 7958 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144 Thread sleep count: 1620 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe TID: 4116 Thread sleep time: -922337203685477s >= -30000s
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe TID: 1060 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe TID: 6756 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7928 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1456 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1784 Thread sleep count: 1155 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1784 Thread sleep time: -2311155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1464 Thread sleep count: 1139 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1464 Thread sleep time: -2279139s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2112 Thread sleep count: 1146 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2112 Thread sleep time: -2293146s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1892 Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1892 Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1892 Thread sleep count: 86 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1892 Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1892 Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 3868 Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2176 Thread sleep count: 1138 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2176 Thread sleep time: -2277138s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1820 Thread sleep count: 1155 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1820 Thread sleep time: -2311155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 5368 Thread sleep count: 1150 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 5368 Thread sleep time: -2301150s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1988 Thread sleep count: 1122 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 1988 Thread sleep time: -2245122s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2024 Thread sleep count: 1144 > 30
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe TID: 2024 Thread sleep time: -2289144s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2316 Thread sleep count: 665 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2316 Thread sleep time: -1330665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2992 Thread sleep count: 646 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2992 Thread sleep time: -1292646s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3692 Thread sleep count: 677 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3692 Thread sleep time: -1354677s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 1264 Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2328 Thread sleep count: 665 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2328 Thread sleep time: -1330665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 6876 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 5080 Thread sleep count: 614 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 5080 Thread sleep time: -1228614s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 4568 Thread sleep count: 682 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 4568 Thread sleep time: -1364682s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 692 Thread sleep count: 655 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 692 Thread sleep time: -1310655s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7372 Thread sleep count: 590 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7372 Thread sleep time: -1180590s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6992 Thread sleep count: 576 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6992 Thread sleep time: -1152576s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7524 Thread sleep time: -52000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6932 Thread sleep count: 580 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6932 Thread sleep time: -1160580s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 4336 Thread sleep count: 589 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 4336 Thread sleep time: -1178589s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7188 Thread sleep count: 558 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7188 Thread sleep time: -1116558s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 2232 Thread sleep count: 580 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 2232 Thread sleep time: -1160580s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7716 Thread sleep count: 589 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7716 Thread sleep time: -1178589s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 7888 Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 7888 Thread sleep time: -222111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 7852 Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 7852 Thread sleep time: -214107s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 8156 Thread sleep count: 102 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 8156 Thread sleep time: -204102s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 7708 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3704 Thread sleep count: 108 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3704 Thread sleep time: -216108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 1244 Thread sleep count: 101 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 1244 Thread sleep time: -202101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3164 Thread sleep count: 113 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 3164 Thread sleep time: -226113s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2416 Thread sleep count: 118 > 30
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe TID: 2416 Thread sleep time: -236118s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 1072 Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6164 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6164 Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7020 Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7020 Thread sleep time: -64032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7136 Thread sleep count: 254 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 7136 Thread sleep time: -1524000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6332 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6332 Thread sleep time: -72036s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6396 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6396 Thread sleep time: -68034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe TID: 6896 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe TID: 6584 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe TID: 6040 Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe TID: 6040 Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe TID: 5380 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe TID: 6248 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe TID: 432 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe TID: 7344 Thread sleep time: -32016s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99870
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99750
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98875
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98523
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98405
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98288
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 98047
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97937
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97595
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97469
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97218
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 97089
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 96491
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 96358
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 96229
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 96109
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 96000
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95883
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95780
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95656
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95547
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95437
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95328
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95217
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94875
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94765
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94656
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94547
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94435
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94344
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 94222
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 93709
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Thread delayed: delay time: 93557
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: file.exe, 00000000.00000002.1727642708.0000000000453000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1766042683.00000000002B3000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1776070516.00000000002B3000.00000040.00000001.01000000.00000007.sdmp, 48a114f480.exe, 00000011.00000002.2760652164.000000000180A000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: c534667f0b.exe, 0000000A.00000002.2755889265.0000000000D16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 0016128732.exe, 00000007.00000003.2484812332.0000000006D31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlI%
Source: 03f60c0f6e.exe, 00000009.00000002.2856372568.0000000001166000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8v
Source: 22129f7e57cc4f01a77377b20bd0ace2.exe, 00000013.00000002.2861596832.000002473F4F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll +
Source: 03f60c0f6e.exe, 00000009.00000002.2856372568.000000000119A000.00000004.00000020.00020000.00000000.sdmp, 1a0440fbc4.exe, 0000002B.00000003.3627706997.0000000001619000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: c534667f0b.exe, 0000000A.00000002.2755889265.0000000000D16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: file.exe, 00000000.00000002.1727642708.0000000000453000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1766042683.00000000002B3000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1776070516.00000000002B3000.00000040.00000001.01000000.00000007.sdmp, 48a114f480.exe, 00000011.00000002.2760652164.000000000180A000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 0016128732.exe, 00000007.00000003.2482772655.0000000001B52000.00000004.00000020.00020000.00000000.sdmp, c534667f0b.exe, 0000000A.00000002.2755889265.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3120918435.000001EE4EC2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04C00C14 rdtsc 0_2_04C00C14
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0029652B mov eax, dword ptr fs:[00000030h] 0_2_0029652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0029A302 mov eax, dword ptr fs:[00000030h] 0_2_0029A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000FA302 mov eax, dword ptr fs:[00000030h] 1_2_000FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_000F652B mov eax, dword ptr fs:[00000030h] 1_2_000F652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000FA302 mov eax, dword ptr fs:[00000030h] 2_2_000FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_000F652B mov eax, dword ptr fs:[00000030h] 2_2_000F652B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: c534667f0b.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ca42ff3133e49daac5eafe0960f7af0.exe PID: 6276, type: MEMORYSTR
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\dciqrtt"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\dciqrtt"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
LummaC encrypted strings found
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: 03f60c0f6e.exe, 00000009.00000002.2856130335.0000000001090000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: treehoneyi.click
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe "C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe "C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe "C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe "C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe "C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe "C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe "C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe "C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe "C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe "C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe "C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\dciqrtt"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe "C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe"
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Process created: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe "C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe"
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Process created: unknown unknown
Source: skotes.exe, skotes.exe, 00000002.00000002.1776256880.00000000002F7000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: ;Program Manager
Source: 48a114f480.exe, 00000011.00000002.2760652164.000000000180A000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: AProgram Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019456001\48a114f480.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019458001\906ea9c047.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019461001\1a0440fbc4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019464001\ebd07c8db5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019464001\ebd07c8db5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019465001\b73717b60b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019465001\b73717b60b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019466001\6253581e35.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019466001\6253581e35.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019467001\ec04af5574.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019467001\ec04af5574.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019455001\c534667f0b.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Queries volume information: C:\ VolumeInformation
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Queries volume information: C:\ VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\System32\WinMetadata\Windows.Globalization.winmd VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\System32\WinMetadata\Windows.Data.winmd VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\dciqrtt\22129f7e57cc4f01a77377b20bd0ace2.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFED52.tmp VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019457001\fde7a493e9.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0027CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0027CBEA
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1019462001\3c08a943ba.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: 0016128732.exe, 00000007.00000003.2452688140.00000000077B6000.00000004.00001000.00020000.00000000.sdmp, 48a114f480.exe, 00000011.00000002.2759465548.0000000001511000.00000040.00000001.01000000.0000000F.sdmp, 48a114f480.exe, 00000011.00000003.2718192248.0000000007A20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: 03f60c0f6e.exe, 00000009.00000002.2856372568.000000000119A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1019464001\ebd07c8db5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1775834203.00000000000C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1727101383.0000000000261000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1765829717.00000000000C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 03f60c0f6e.exe PID: 2688, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000026.00000003.3162743621.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.3319476192.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 18.0.3ca42ff3133e49daac5eafe0960f7af0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c534667f0b.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ca42ff3133e49daac5eafe0960f7af0.exe PID: 6276, type: MEMORYSTR
Source: Yara match File source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: 03f60c0f6e.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 03f60c0f6e.exe String found in binary or memory: Wallets/Exodus
Source: 03f60c0f6e.exe, 00000009.00000002.2858415028.0000000003690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: 03f60c0f6e.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 03f60c0f6e.exe String found in binary or memory: keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1019460001\fa82de29a9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019463001\17e7d05a4e.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019459001\98d75c3c44.exe Directory queried: number of queries: 2002
Source: C:\Users\user\AppData\Local\Temp\1019454001\03f60c0f6e.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 00000022.00000003.3404178194.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2750094261.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2715417561.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2745554337.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 03f60c0f6e.exe PID: 2688, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1019453001\0016128732.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 03f60c0f6e.exe PID: 2688, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000026.00000003.3162743621.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.3319476192.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 18.0.3ca42ff3133e49daac5eafe0960f7af0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2763054192.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2763054192.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c534667f0b.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ca42ff3133e49daac5eafe0960f7af0.exe PID: 6276, type: MEMORYSTR
Source: Yara match File source: C:\dciqrtt\3ca42ff3133e49daac5eafe0960f7af0.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579322 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Antivirus detection for dropped file 2->165 167 Antivirus / Scanner detection for submitted sample 2->167 169 17 other signatures 2->169 9 skotes.exe 4 73 2->9         started        14 file.exe 5 2->14         started        16 98d75c3c44.exe 2->16         started        18 4 other processes 2->18 process3 dnsIp4 147 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 9->147 149 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->149 151 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 9->151 105 C:\Users\user\AppData\...\ec04af5574.exe, PE32+ 9->105 dropped 107 C:\Users\user\AppData\...\6253581e35.exe, PE32 9->107 dropped 109 C:\Users\user\AppData\...\b73717b60b.exe, PE32 9->109 dropped 117 27 other malicious files 9->117 dropped 211 Creates multiple autostart registry keys 9->211 213 Hides threads from debuggers 9->213 215 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->215 20 fa82de29a9.exe 9->20         started        25 c534667f0b.exe 9->25         started        27 17e7d05a4e.exe 9->27         started        31 8 other processes 9->31 111 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->111 dropped 113 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->113 dropped 217 Detected unpacking (changes PE section rights) 14->217 219 Tries to evade debugger and weak emulator (self modifying code) 14->219 221 Tries to detect virtualization through RDTSC time measurements 14->221 29 skotes.exe 14->29         started        115 C:\Users\...\Q1QDVYP373AX8IG2OVIMRA4D.exe, PE32 16->115 dropped 223 Query firmware table information (likely to detect VMs) 16->223 225 Tries to steal Crypto Currency Wallets 16->225 227 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->227 153 23.218.208.109 AS6453US United States 18->153 155 127.0.0.1 unknown unknown 18->155 file5 signatures6 process7 dnsIp8 127 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 20->127 83 C:\Users\user\Documents\JEHIIDGCFH.exe, PE32 20->83 dropped 85 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->85 dropped 97 12 other files (8 malicious) 20->97 dropped 183 Drops PE files to the document folder of the user 20->183 185 Tries to steal Mail credentials (via file / registry access) 20->185 203 6 other signatures 20->203 33 chrome.exe 20->33         started        129 20.233.83.145 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->129 131 185.199.111.133 FASTLYUS Netherlands 25->131 87 C:\...\3ca42ff3133e49daac5eafe0960f7af0.exe, PE32 25->87 dropped 89 C:\...\22129f7e57cc4f01a77377b20bd0ace2.exe, PE32 25->89 dropped 187 Multi AV Scanner detection for dropped file 25->187 189 Adds a directory exclusion to Windows Defender 25->189 35 3ca42ff3133e49daac5eafe0960f7af0.exe 25->35         started        39 powershell.exe 25->39         started        41 powershell.exe 25->41         started        47 2 other processes 25->47 133 104.21.67.146 CLOUDFLARENETUS United States 27->133 191 Query firmware table information (likely to detect VMs) 27->191 193 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->193 195 Tries to harvest and steal browser information (history, passwords, etc) 27->195 197 Detected unpacking (changes PE section rights) 29->197 205 2 other signatures 29->205 135 98.85.100.80 TWC-11351-NORTHEASTUS United States 31->135 137 185.156.73.23 RELDAS-NETRU Russian Federation 31->137 139 4 other IPs or domains 31->139 91 C:\Users\user\AppData\...\service123.exe, PE32 31->91 dropped 93 C:\Users\...\VNY2C8VS9PYFPN1RMQ1W6IX8NL5.exe, PE32 31->93 dropped 95 C:\Users\user\...\UKzjyWlrjRLOjKNNlNHI.dll, PE32 31->95 dropped 99 3 other files (1 malicious) 31->99 dropped 199 Attempt to bypass Chrome Application-Bound Encryption 31->199 201 Found many strings related to Crypto-Wallets (likely being stolen) 31->201 207 7 other signatures 31->207 43 cmd.exe 31->43         started        45 chrome.exe 31->45         started        file9 signatures10 process11 dnsIp12 49 chrome.exe 33->49         started        119 149.154.167.99 TELEGRAMRU United Kingdom 35->119 121 94.130.188.57 HETZNER-ASDE Germany 35->121 171 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->171 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->173 175 Tries to harvest and steal browser information (history, passwords, etc) 35->175 181 2 other signatures 35->181 51 chrome.exe 35->51         started        66 3 other processes 35->66 177 Loading BitLocker PowerShell Module 39->177 53 conhost.exe 39->53         started        55 conhost.exe 41->55         started        179 Uses cmd line tools excessively to alter registry or file data 43->179 57 in.exe 43->57         started        61 7z.exe 43->61         started        68 10 other processes 43->68 123 239.255.255.250 unknown Reserved 45->123 63 chrome.exe 45->63         started        125 2.20.41.184 AKAMAI-ASUS European Union 47->125 signatures13 process14 dnsIp15 70 chrome.exe 51->70         started        101 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 57->101 dropped 209 Uses cmd line tools excessively to alter registry or file data 57->209 73 attrib.exe 57->73         started        75 attrib.exe 57->75         started        103 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 61->103 dropped 157 172.217.19.131 GOOGLEUS United States 63->157 159 172.217.19.228 GOOGLEUS United States 63->159 161 2 other IPs or domains 63->161 77 chrome.exe 66->77         started        79 chrome.exe 66->79         started        81 chrome.exe 66->81         started        file16 signatures17 process18 dnsIp19 141 142.251.37.163 GOOGLEUS United States 70->141 143 142.251.37.238 GOOGLEUS United States 70->143 145 4 other IPs or domains 70->145
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.121.15.192
 unknown Spain
207046 REDSERVICIOES false
172.217.19.228
 unknown United States
15169 GOOGLEUS false
172.217.19.206
 unknown United States
15169 GOOGLEUS false
98.85.100.80
 unknown United States
11351 TWC-11351-NORTHEASTUS false
173.194.76.84
 unknown United States
15169 GOOGLEUS false
185.199.111.133
 unknown Netherlands
54113 FASTLYUS false
149.154.167.99
 unknown United Kingdom
62041 TELEGRAMRU false
23.218.208.109
 unknown United States
6453 AS6453US false
142.251.37.42
 unknown United States
15169 GOOGLEUS false
64.233.164.84
 unknown United States
15169 GOOGLEUS false
185.156.73.23
 unknown Russian Federation
48817 RELDAS-NETRU false
142.251.37.163
 unknown United States
15169 GOOGLEUS false
172.67.197.170
 unknown United States
13335 CLOUDFLARENETUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
216.58.212.110
 unknown United States
15169 GOOGLEUS false
2.20.41.184
 unknown European Union
16625 AKAMAI-ASUS false
216.58.211.196
 unknown United States
15169 GOOGLEUS false
172.217.19.131
 unknown United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
20.233.83.145
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
188.114.96.6
 unknown European Union
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.251.37.238
 unknown United States
15169 GOOGLEUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
94.130.188.57
 unknown Germany
24940 HETZNER-ASDE false
104.21.67.146
 unknown United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
aspecteirs.lat true
    energyaffai.lat true
      grannyejh.lat true
        necklacebudi.lat true